tag:blogger.com,1999:blog-72885501960154721862020-05-21T03:34:42.829-05:00Down the Security Rabbithole Blog - SupplementalDown the Security Rabbithole, The Blog.
Herein are thoughts, ideas, musings of my own making. I invite you to think freely, respond, or share. Together we move intellectual thought on our industry forward.Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.comBlogger469125tag:blogger.com,1999:blog-7288550196015472186.post-77176934045179630432018-12-14T11:08:00.000-06:002018-12-14T11:08:19.246-06:00Point of View MattersJust a quick thought this morning as I'm reading the news on the attack against Italian oil services firm Saipem across Twitter and other news outlets. It struck me fairly quickly that much of what my security industry peers read is very one-sided, and perspective matters.<br /><br />Allow me to illustrate.<br /><br />This article shows up on most of the business wires, it's from Reuters:<br /><a href="https://www.reuters.com/article/us-saipem-cyber/saipem-revenues-will-not-be-impacted-by-cyber-attack-idUSKBN1OC1D4">https://www.reuters.com/article/us-saipem-cyber/saipem-revenues-will-not-be-impacted-by-cyber-attack-idUSKBN1OC1D4</a><br />It's short and gets to the point quickly.<br /><br /><ul><li>the attack on the firm will have no impact on the group's revenues</li><li>a cyber attack crippled over 300 computers and servers in the middle east</li></ul><div>Short. To the point. Leads with the big story first (no revenue impact).</div><div><br /></div><div>This article was retweeted a bunch on the Twitter hacker and information security feeds:&nbsp;<a href="https://www.cyberscoop.com/shamoon-saipem-palo-alto-networks/">https://www.cyberscoop.com/shamoon-saipem-palo-alto-networks/</a></div><div>It paints a different story.</div><div><ul><li>uses words like "notorious", and highlights an&nbsp;<i>outage</i></li><li>it focuses on the negative impact (technologically) of the attack</li><li>likens to Saudi Aramco attack, and "<i>one of the most destructive cyberattacks in history</i>"</li></ul><div><br /></div></div><div>Saipem's own website, has this to say:&nbsp;<a href="http://www.saipem.com/sites/SAIPEM_en_IT/con-side-dx/Press%20releases/2018/Cyber%20attack%20update.page">http://www.saipem.com/sites/SAIPEM_en_IT/con-side-dx/Press%20releases/2018/Cyber%20attack%20update.page</a>&nbsp;and is much more frank and simple in explanation.</div><div><br /></div><div>Now, let's get perspective.</div><div><br /></div><div>Corporate leadership likely reads the short version, on Reuters, which basically says "No financial impact, some computers got broken, move on." On the security side, we see a different, more in-depth (<i>obviously</i>) story develop. Now when you go to your CEO or CFO and say "<i>We need to do more to protect ourselves so we're not the next Saipem</i>" your CFO/CEO will likely look back at you and ask why. There was no revenue impact, the risk seems to have been appropriately handled.</div><div><br /></div><div>Think about this, as you look at security risks to your organization.</div><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/MmH6x6aQ0wc" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2018/12/point-of-view-matters.htmltag:blogger.com,1999:blog-7288550196015472186.post-70843770679164965482017-06-27T16:37:00.003-05:002017-06-27T22:47:47.977-05:00Email Provider Disables Ransomware Mailbox - Good or Bad?Here's a headline that will likely make you cheer.<br />Or it'll make your heart sink as you realize your files are now gone. Forever<br /><br />Or maybe it'll get you thinking like it did for me...<br /><blockquote class="tr_bq"><a href="https://www.bleepingcomputer.com/news/security/email-provider-shuts-down-petya-inbox-preventing-victims-from-recovering-files/" target="_blank">Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files</a></blockquote>I read this line and started thinking ... oh my God ... what are some of the victims going to do?!<br /><blockquote class="tr_bq">"<i>The German email provider's decision is <span style="color: red;">catastrophic news for Petya victims</span>, as they won't be able to email the Petya author in the case they want to pay the ransom to recover sensitive files needed for urgent matters.</i>"</blockquote><br />While I believe Posteo&nbsp;had good intentions, I believe the net result will be a bad situation made significantly worse. In a ransomware scenario you have three options:<br /><br /><ul><li>Pay up (<i>hope you get your stuff back</i>)</li><li>Ignore it and restore from back up (<i>and hope your stuff is backed up</i>)</li><li>Hope like hell someone cracks the encryption/software/attacker in time to get your files back without having to pay (<i>hey, it's happened before</i>)</li></ul><div>The problem is if you're a Petya victim option #1 is no longer open to you. There are several scenarios where a victim could have no choice but to pay up, like when backups aren't available (<i>or they haven't planned that far ahead</i>). Now, a few friends on Twitter made a valid argument for what Posteo did - including that they wanted to stop funding an attacker and ultimately had a criminal on their hands they wanted to shut down. All well and good - but think of the impact.</div><div><br /></div><div>While I don't think it hurts the email provider to continue to keep the mailbox open, closing it down is catastrophic. It's irresponsible. And maybe even a little mean-spirited. Unless you're willing to argue that you've never been a victim, or that you "deserved what you got" (which is a BS argument) this action by Posteo is insane.</div><div><br /></div><div>On the other side of this coin, there are very <b>good reasons</b>&nbsp;to keep the mailbox open. For example it could provide some insight into the attacker/criminal. Maybe the attacker accidentally accesses the inbox from their home cable modem and investigators can track them down that way. You never know. There's the obvious reason that people should get their files back if they have <i>no other alternative but to pay</i>&nbsp;and we know that is the case in <b>many, many, many cases.</b></div><div><b><br /></b></div><div>What do you think? I think what Posteo did was rash and maybe a little stupid. Clearly they're not thinking about the victims here - and that's irresponsible.<br /><br /><br />-- Edit 27-June-17 @ 11:46pm<br /><br />So this is interesting and helps understand the scope of what's affected and who is impacted. Still think it was a bright idea to kill that mailbox?<br /><a href="https://www.buzzfeed.com/otilliasteadman/heres-just-who-got-hit-by-that-latest-massive-cyberattack">https://www.buzzfeed.com/otilliasteadman/heres-just-who-got-hit-by-that-latest-massive-cyberattack</a></div><br /><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/KJpxL3OoM4o" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2017/06/email-provider-disables-ransomware.htmltag:blogger.com,1999:blog-7288550196015472186.post-33036481393048924422017-06-18T15:30:00.000-05:002017-06-18T15:30:04.101-05:00Who falls for this?Sometimes a spammer hits my inbox with something <b>so amusing</b>&nbsp;I feel like I have to share. Check this one out. I can't tell you the last time I received something with such bad grammar, trying so hard to sound official yet catastrophically failing.<br /><br />Anyway, I think you'll enjoy this one as much as I did.<br /><br /><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">/---------------------</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Federal Bureau of Investigation (FBI)</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Anti-Terrorist And Monitory Crime Division.</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Federal Bureau Of Investigation.</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">J.Edgar.Hoover Building Washington Dc</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Customers Service Hours / Monday To Saturday</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Office Hours Monday To Saturday:</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Dear Beneficiary,</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Series of meetings have been held over the past 7 months with the secretary general of the United Nations Organization. This ended 3 days ago. It is obvious that you</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">have not received your fund which is to the tune of $16.5million due to past corrupt Governmental Officials who almost held the fund to themselves for their selfish</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">reason and some individuals who have taken advantage of your fund all in an attempt to swindle your fund which has led to so many losses from your end and unnecessary</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">delay in the receipt of your fund.for more information do get back to us.</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">The National Central Bureau of Interpol enhanced by the United Nations and Federal Bureau of Investigation have successfully passed a mandate to the current Prime</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Minister of Cambodia Excellency Hun Sen to boost the exercise of clearing all foreign debts owed to you and other individuals and organizations who have been found not</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">to have receive their Contract Sum, Lottery/Gambling, Inheritance and the likes. Now how would you like to receive your payment? because we have two method of&nbsp; payment</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">which is by Check or by ATM card?</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">ATM Card: We will be issuing you a custom pin based ATM card which you will use to withdraw up to $5,000 per day from any ATM machine that has the Master Card Logo on</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">it and the card have to be renewed in 4 years time which is 2022. Also with the ATM card you will be able to transfer your funds to your local bank account. The ATM</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">card comes with a handbook or manual to enlighten you about how to use it. Even if you do not have a bank account.</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Check: To be deposited in your bank for it to be cleared within three working days. Your payment would be sent to you via any of your preferred option and would be</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">mailed to you via FedEx. Because we have signed a contract with FedEx which should expire 25th of June 2017 you will only need to pay $180 instead of $420 saving</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">you $240 so if you</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Pay before the one week you save $240 note that any one asking you for some kind of money above the usual fee is definitely a fraudsters and you will have to stop</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">communication with every other person if you have been in contact with any. Also remember that all you will ever have to spend is $180.00 nothing more! Nothing less!</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">And we guarantee the receipt of your fund to be successfully delivered to you within the next 24hrs after the receipt of payment has been confirmed.</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Note: Everything has been taken care of by the Government of Cambodia,The United Nation and also the FBI and including taxes, custom paper and clearance duty so all</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">you will ever need to pay is $180.</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">DO NOT SEND MONEY TO ANYONE UNTIL YOU READ THIS: The actual fees for shipping your ATM card is $420 but because FedEx have temporarily discontinued the C.O.D which</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">gives you the chance to pay when package is delivered for international shipping We had to sign contract with them for bulk shipping which makes the fees reduce from</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">the actual fee of $420 to $180 nothing more and no hidden fees of any sort!To effect the release of your fund valued at $16.5million you are advised to contact our</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">correspondent in Asia the delivery officer Miss.Chi Liko with the information below,</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Tele:+855977558948</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Email: chiliko7@e-mail.ua</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">You are adviced to contact her with the informations as stated below:</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Your full Name..</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Your Address:..............</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Home/Cell Phone:..............</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Preferred Payment Method ( ATM / Cashier Check )</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. Because we are so sure of everything we are giving you a</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">100% money back guarantee if you do not receive payment/package within the next 24hrs after you have made the payment for shipping.</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Yours sincerely,</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">Miss Donna Story</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">&nbsp;</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">FEDERAL BUREAU OF INVESTIGATION</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">UNITED STATES DEPARTMENT OF JUSTICE</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: 'Times New Roman', serif, EmojiFont; font-size: medium;">WASHINGTON, D.C. 20535</span></div><div style="font-family: Arial, serif, EmojiFont; text-size-adjust: auto;"><span style="color: #999999; font-family: &quot;Times New Roman&quot;, serif, EmojiFont; font-size: medium;">---------------------\</span></div><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/B_V6L2SgCU0" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2017/06/who-falls-for-this.htmltag:blogger.com,1999:blog-7288550196015472186.post-49523584682803619262015-01-31T22:47:00.001-06:002015-01-31T22:57:24.954-06:00In Defense of Ethical Hacking<span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">Pete Herzog, wrote an interesting piece on Dark Matters (Norse’s blog platform) a while back, and I’ve given it a few days to sink in because I didn’t want my response to be emotional. After a few days I’ve re-read the post a few more times and still have no idea where Pete, someone I otherwise is fairly sane and smart (see his bio - <a href="http://blog.norsecorp.com/author/pherzog/">http://blog.norsecorp.com/author/pherzog/</a>) , gets this premise he’s writing about. In fact, it annoyed me enough that I wrote up a response to his post… and Pete, I’m confused where this point of view comes from! I’d genuinely like to know… I’ll reach out and see if we can figure it out.<br /><br />— For the sake of this blog post, I consider ethical hacking and penetration testing to effectively be the same thing. I know not everyone agrees, and that’s unfortunate, but I guess you can’t please everyone.<br /><br />So here on my comments on Pete’s blog post titled “The Myth of Ethical Hacking (<a href="http://blog.norsecorp.com/2015/01/27/the-myth-of-ethical-hacking/">http://blog.norsecorp.com/2015/01/27/the-myth-of-ethical-hacking/</a>)”</span></span><br /><a name='more'></a><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>I thought reacting is what you did when you weren’t secure. And I thought ethical hacking was proactive, showing you could take advantage of opportunities left by the stupid people who did the security.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— Boy am I glad he doesn’t think this way anymore. Reacting is part of life, but it’s not done because you’re insecure, it’s done because business and technology along with your adversaries is dynamic. It’s like standing outside without an umbrella. It’s not raining… but if you stand there long enough you’ll need an umbrella. It’s not that you are stupid, it’s that weather changes. If you’re in Chicago, like I am, this happens about every 2.7 seconds.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>I also thought ethical hacking and security testing were the same thing, because while security testing focused on making sure all security controls were there and working right and ethical hacking focused on showing a criminal could penetrate existing security controls, both were about proactively learning what needed to be better secured.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— That’s an interesting distinction. I can’t say I believe this is any more than a simple different in word choice. Isn’t this all about validation of the security an organization thinks they have, versus the reality of how attackers act and what they will target? I guess I could be wrong, but these terms: vulnerability testing, penetration testing, ethical hacking, security testing — they create confusion in the people trying to consume these services, understand security, and hire. Do they have any real value? I this this is one reason standards efforts by people in the security testing space were started, to demystify, de-obfuscate, and lessen confusion. Clearly it’s not working as intended?</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>Ethical hacking, penetration testing, and red-teaming are still considered valid ways to improve security posture despite that they test the tester as much, if not more, than the infrastructure.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— Now, here’s a statement that I largely agree with. It’s not controversial anymore to say this. This is why things like the PTES (Penetration Testing Execution Standard) were born. Taking a look at the people who are behind this, standard you can easily see that it’s not just another shot in the dark or empty effort - <a href="http://www.pentest-standard.org/index.php/FAQ">http://www.pentest-standard.org/index.php/FAQ</a>. Standardizing how a penetration test (or ethical hack, these should be the same thing in my mind). Let me address red teaming for a minute too. Red Team exercises are not the same thing as penetration testing and ethical hacking — not really — it’s like the difference between asking someone if they can pick the lock on the front door, versus daring someone to break into your house and steal your passport without reservation. Red Teaming is a more aggressive approach. I’ve heard some call Red Team exercises “closer to what an actual attacker would behave like”, your mileage may vary on that one. Bottom line, though, you always get the quality you ask for (pay for). If you are willing to pay for high-grade talent, generally speaking you’ll get high grade talent. If you’re looking for a cheap penetration test your results will likely be vastly different because the resources on the job may not be as senior or knowledgeable. The other thing here is this — not all penetration testers are experts in all technologies at your shop. Keep this in mind. Some folks are magicians with a Linux/Unix system, while others have grown their expertise in the Windows world. Some are web application experts, some are infrastructure experts, and some are generalists. The bottom line is that this is both true, something that should be accounted for, and largely not the fault of the tester.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>Then again nearly everything has a positive side we can see if we squint. And as a practical, shake-the-CEO-into-awareness technique, criminal hacking simulations should be good for fostering change in a security posture.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— I read this and wonder to myself… if the CEO hasn’t already been “shaken into awareness” through headlines in the papers and nightly news, then there is something else going on here that a successful ethical hack ransack of the enterprise likely won’t solve.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>So somehow, ethical hackers with their penetration testing and red-teaming, despite any flaws, have taken on this status of better security than, say, vulnerability scanning. Because there’s a human behind it? Is it artisan, and thus we pay more?</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— Wait, what?! If you see these two as equal, then you’ve either done a horrible job at picking your ethical hacker/penetration testers, or you don’t understand what you’re saying. As someone who spent a few years demonstrating to companies that web application security tools were critical to their success, I’ve never, ever said they can replace a human tester. Ever. To answer the question directly — YES, because there’s a human behind it, this is an entirely different thing. See above about quality of penetration tester, but the point stands.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>It also has a fatal flaw: It tests for known vulnerabilities. However, in great marketing moves of the world volume 1, that is exactly how they promote it. That’s why companies buy it. But if an ethical hacker markets that they test only&nbsp;for known vulnerabilities, we say they suck.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— Oh, I think I see what’s going on here. The author is confusing vulnerability assessment with penetration testing, maybe. That’s the only logical explanation I can think of. Penetration testers have a massive advantage over scanning tools because of this wonderful thing called the human intellect. They can see and interpret errors that systems kick back. Because tools look for patterns, and respond accordingly, there are times where a human can see an error message and understand what it’s implying, but the machine has no such ability. In spite of all of technology’s advancements, tools are still using regular expressions and some rudimentary if-then clauses for pattern recognition. Machines, and by that way software, do not think. This gives software a disadvantage over a human 100% of the time.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>Now vulnerability scanning is indeed reactive. We wait for known flaws to be known, scan for them, and we then react to that finding by fixing it. Ethical hacking is indeed proactive. But not because it gives the defender omniscient threat awareness, but rather so we can know all the ways where someone can break in. Then we can watch for it or even fix it.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— I’m going to ignore the whole reactive vs proactive debate here. I don’t believe it’s productive to the post here, and I think many people don’t understand what these terms mean in security anyway. First, you’ll never, ever know “all the ways someone can break in”, ever. Never. That’s the beauty of the human mind. Human beings are a creative bunch, and when properly incentivized, we will find a way once we’ve exhausted all the known ways. However, there’s a little caveat here, which is not talked about enough I don’t believe. The reason we won’t ever know all the ways someone can break in, even if we give humans the ability to find all the ways — is this thing called scope, and time. Penetration testers, ethical hackers and whatever you want to call them are time-boxed. Rarely do you get an open-ended contract, or even in the case of an internal resource, the ability to dedicate all the time you have to the task of finding ways to break in. Furthermore, there are many, many, many ways to break in typically. Systems can be mis-configured, un-patched, and left exposed in a million different ways. And even if you did have all the time you needed, these systems are dynamic and are going to change on you at some point, unless you work in one of "those" organizations, and if so then you’ve got bigger problems.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>But does it really work that way? Isn’t what passes for ethical hacking too often just running vulnerability scanners to find the low hanging fruit and exploit that to prove a criminal could get in? Isn’t that really just finding known vulnerabilities like a vulnerability scanner does, but with a little verification thrown in?</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— And here it is. Let me answer this question from the many, many people I know who do actual ethical hacking/penetration testing: no. Also if you find this to be actually true in your experience, you’re getting the wrong penetration testers. Maybe fire your provider or staff.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>There’s this myth that ethical hackers will make better security by breaking through existing security in complicated, sometimes clever ways that point out the glaring flaw(s) of the moment for remediation.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— Talk to someone who does serious penetration testing for a living, or manages one of these teams. Many of them have a store of clever, custom code up their sleeves but rarely have to use it because the systems they test have so much broken on them that dropping custom code isn’t even remotely necessary.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>But we know that all too often it’s just vulnerability scanning with scare tactics.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">—Again, you’re dealing with some seriously amateur, bad people or providers. Fire them.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>And when there’s no way in, they play&nbsp;the social engineering card.</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— a) I don’t see the issue with this approach, b) there’s a 99.9% chance there is a way in without “playing the social engineering card”.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>One of the selling points of ethical hacking is the skilled use of social engineering. Let me save you some money: It works.</i>“</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— Yes, 90%+ of the time, even when the social engineer isn’t particularly skilled, it works. Why? Human nature. Also employees that don’t know better. So what if it works though, you still need to leverage that testing to show real-use-cases of how your defenses were easily penetrated for educational purposes. Record it. Highlight those employees who let that guy with the 4 coffee cups in his hands through the turnstile without asking for a badge…but do it constructively so that they and their peers will remember. Testing should drive awareness, and real-life use cases are priceless.</span></span><br /><blockquote class="tr_bq"><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">“<i>So if ethical hacking as it’s done is a myth…</i>”</span></span></blockquote><span style="font-size: large;"><span style="font-family: Arial,Helvetica,sans-serif;">— Let me stop you right there. It’s not, you’ve just had some terrible experiences I don’t believe are indicative of the wider industry. So since the rest of the article is based on this, I think we’re done here.</span></span><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/M2_Fq4L4XN4" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2015/01/in-defense-of-ethical-hacking.htmltag:blogger.com,1999:blog-7288550196015472186.post-74183701693327341072015-01-16T00:35:00.000-06:002015-01-16T00:38:26.257-06:00Beyond the Buzzwords: Why You Need Threat IntelligenceI dislike buzzwords.<br /><br />Let me be more precise -- I heavily dislike when a properly useful term is commandeered by the army of marketing people out there in the market space and promptly loses any real meaning. It makes me crazy, as it should make you, when terms devised to speak to some new method, utility, or technology becomes virtually meaningless when everyone uses it to mean everything and nothing all at once. Being in a highly dynamic technical field is hard enough without having to play thesaurus games with the marketing people. They always win anyway.<br /><br /><a name='more'></a><br />So when I see things like this post, "<a href="http://www.csoonline.com/article/2868515/security-leadership/7-security-buzzwords-that-need-to-be-put-to-rest.html#slide8" target="_blank">7 Security buzzwords that need to be put to rest</a>" on one hand I'm happy someone is out there taking the over-marketing and over-hyping of good terms to task, but on the other hand I'm apprehensive and left wondering whether we've thrown the baby out with the bath-water.<br /><br />In this case, if you look at slide 8, Threat Intelligence, you have this quote:<br /><blockquote class="tr_bq">"<i>This is a term that has been knocked about in the industry for the last couple of years. It really amounts to <b>little more than a glorified RSS feed</b> once you peel back the covers for most offerings in the market place.</i>"</blockquote><br />I'm unsure whether the author was going for irony or sarcasm, or has simply never seen a good Threat Intelligence feed before -- but this is just categorically wrong. Publishing this kind of thing is irresponsible, and does a disservice to the reading public who take these words for truth from a journalist.<br /><br /><br /><b>Hyperbole and Irony</b><br /><br />Let's be honest, there are plenty of threat intelligence feeds that match that definition. I can think of a few I'd love to tell you about but non-disclosure agreements make that impractical. Then there are those that provide a tremendous amount of value <b>when they are properly utilized</b>&nbsp;at the proper point in time, by the proper resources.<br /><br />Take for example a JSON-based <i>feed</i>&nbsp;of validated, known-bad IP addresses from one of the many providers of this type of data. I would hardly call this intelligence, but rather reputational <i>data</i>&nbsp;in the form of a feed. Sure, this is consumed much like you would an RSS feed of news -- except that the intent is typically for automated consumption by tools and technologies that requires very little human intervention.<br /><br />Is the insinuation here that this type of thing has little value? I would agree that in the grand scheme of intelligence a list of known-bad IP addresses has a very short shelf-life and an complicated utility model which is necessarily more than a binary decision of "good vs. bad" -- but this does not completely destroy its utility to the security organization. Take for example a low-maturity organization who is understaffed, and relies heavily on network-based security devices to protect their assets. Incorporating a known-bad (IP reputation) feed into their currently deployed network security technologies may be more than a simple added layer of security. This may in fact be an evolution, but one that only a lower-level security organization can appreciate.<br /><br />My point is, don't throw away the potential utility of something like a reputation feed without first considering the context within which it will be useful.<br /><br /><br /><b>Without Intelligence, We're Blind</b><br /><b><br /></b>I don't know how to make this more clear. After spending a good portion of the last 4 months studying successful and operational security programs I can't imagine a scenario where a security program <i>without the incorporation of threat intelligence</i>&nbsp;is even viable. I'm sorry to report that without a threat-intelligence focused strategy, we're left deploying the same old predictable patterns of network security, antivirus/endpoint and other static defenses which our enemies are well attuned to and can avoid without putting much thought into it.<br /><br />While I agree, the marketing organizations in the big vendors (and small, to be fair) have all but ruined the reputation of the phrase <i>threat intelligence</i>&nbsp;I dare you to run a successful security program without understanding your threats and adversaries, and be successful at efficient detection and response. Won't happen.<br /><br />I guess I'm biased since I've spent so much time researching this topic that I'm now what you may consider a true believer. I can sleep well knowing that thorough (and ongoing) research into successful security programs which incorporate threat intelligence leads me to conclude that <b>threat intelligence is essential</b>&nbsp;to an effective and focused enterprise security program. I'm still not an expert, but at least I've seen it both succeed and fail and can tell the difference.<br /><br /><br /><b>So why the hate? Let's ideate</b><br /><b><br /></b>I get it, security people are experiencing fatigue from buzzwords and terms taken over by marketing people which makes our ears bleed every time someone starts making less than no sense. I get it, I really do. But let's not throw away the baby in the bathwater. Let's not dismiss something that has the potential to transform our security programs into something relevant to today's threats because we're sick of hearing talking heads mis-use and abuse the term.<br /><br />I also get that when terms are over-hyped and misused it does everyone an injustice. Is an IP reputation list <b>threat intelligence</b>? I wouldn't call it that...it's just data. There are hallmarks of threat intelligence that make it useful and much more than just a buzzword:<br /><br /><ol><li>it's actionable</li><li>it's complete</li><li>it's meaningful</li></ol>Once you have these characteristics for your threat intelligence "feed" then you have significantly more than just an RSS feed. You have something that can act as a catalyst for your security program stuck in the 90's. Let's not let our pull to be snarky get the best of us, and throw away a perfectly legitimate term. Instead, let's take those who mis-use and abuse the term and point them out and call them out for their disservice to our mission.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/aP9idxjoQOo" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com2http://blog.wh1t3rabbit.net/2015/01/beyond-buzzwords-why-you-need-threat.htmltag:blogger.com,1999:blog-7288550196015472186.post-80982281409389545622014-12-15T08:00:00.000-06:002014-12-15T13:29:27.144-06:00When the Press Aids the EnemyLet's start with this- Freedom of the press is a critical part of any free society, and more importantly, a democratically governed society.<br /><br />But that being said, I can't help but think there are times when the actions of the media aid the enemy. This is a touchy subject so I'll keep it concise and just make a few points that stick in my mind.<br /><br />First, it's pretty hard to argue that the media looks for ever-more sensational headlines, truth be damned, to get clicks and drive traffic to their publication. Whether it's digital or actual ink-on-paper sensationalism sells, there's no arguing with that.<br /><br />What troubles me is that like in the war on terrorism, the enemy succeeds in their mission when the media creates hysteria and fear. This much should be clear. The media tend to feed into this pretty regularly and we see this in some of the most sensational headlines from stories that should told in fact, not fantasy.<br /><br /><a name='more'></a><br />So when I came across this article on Buzzfeed called "<a href="http://www.buzzfeed.com/annehelenpetersen/complicated-sony-ethics" target="_blank">The Messy Media Ethics Behind the Sony Hacks</a>" it suddenly hit me - the media may very well be playing perfectly into the enemy's hands. The "Guardians of Peace" (GOP) in their quest to ruin Sony Pictures Entertainment have <b>stolen</b>&nbsp;an unfathomable amount of information. As <a href="https://twitter.com/steved3" target="_blank">Steve Ragan</a> who has repeatedly written on about this and many other breaches <a href="https://twitter.com/SteveD3/status/544336373457879040" target="_blank">tweeted</a> that's 200Gb or 287,000 documents. That's mind-blowing.<br /><br />This cache of data has proven to be yet-unreleased movies, marketing presentations, email exchanges between executives and attorneys, financial plans, employees' medical records and so much more. The GOP have made it clear their aim is to "punish" Sony Pictures Entertainment - and while we don't really have an insight as to the <b>true motivations</b>&nbsp;here, I think it's clear that releasing all this data is meant to severely negatively impact the business.<br /><br />What has followed in the days since the announcement of the hack is a never-ending stream of "news" articles that I struggle to understand. There were articles like this one <a href="http://gawker.com/sonys-embarrassing-powerpoints-are-even-worst-than-thei-1666403941" target="_blank">providing commentary and analysis on internal marketing department presentations</a>. There were articles analyzing the internal <i>and privileged</i>&nbsp;(as far as I know, but I'm not a lawyer) communications between corporate legal counsel and Sony Pictures executives. There were articles talking about the release of SPE employee medical records. The hit-parade goes on and on... and I'm not linking over to any more of the trash because it embarrasses me.<br /><br />Clearly, <b>clearly</b>, the mainstream media (and hell even the not-so-mainstream) have long lost their ethics. Some would claim that it's the "freedom of the press" that allows them to re-publish and discuss sensitive, internal documents. Others argue that since it's already in the public domain (available on BitTorrent) then it's fair game. <i>Note: This was discussed during the Snowden release - and it was clear that classified information released to the public domain does not suddenly lose its classified status</i>. I'm fairly certain this easily applies to the not-national-security type of assets as well. To be honest, this argument makes me question the intellectual integrity of some of the people who make it.<br /><br />Anyway, back to my point. If the GOP wanted to destroy Sony Pictures Entertainment then hacking in and releasing secret information and intellectual property was only half the battle. The second half, unfortunately, is being picked up and executed by the media, bloggers, and talking heads putting out "analysis" on all this data. Publishing links to the hacked data, analyzing its contents, and looking for further embarrassing and ugly things to publish- the media should be ashamed of itself.<br /><br />The hack alone wasn't going to damage SPEs image to where it has fallen now - the media is clearly complicity in this and it's a shame. I'm not an attorney so I question whether publishing and discussing confidential communications between an attorney and executive is ethical. Forget that, is it even <b>legal</b>? Journalists and bloggers continue to hide behind the "freedom of the press", and some folks even to blasting me for daring to question the absolute rights of the press. Except - the freedom of the press isn't absolute, as far as I know.<br /><br />But whether it's legal, clearly there are ethical problems here. If you're in the media and you're poring over the confidential email communications <b>stolen</b>&nbsp;from Sony Pictures Entertainment systems, I emphasize <b>stolen</b>, and you're commenting on this - to what end? Arguing that the media is releasing this information because (a) it's already in the public domain and (b) it's "for the public good" is ludicrous.<br /><br />Remember - while you're reveling in someone else's misery that <b>you too</b>&nbsp;may be a coincidental victim one day. Then it'll be your turn to have your private information released and analyzed and attacked as part of the next breach. Your recourse? None... Glass houses, journalists. Glass houses.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/o1w-fanw1Os" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com1http://blog.wh1t3rabbit.net/2014/12/when-press-aids-enemy.htmltag:blogger.com,1999:blog-7288550196015472186.post-10062953909359071092014-12-13T10:35:00.002-06:002014-12-13T10:35:33.834-06:00Sony Pictures - Lessons From a Real Worst-Case ScenarioThere is a lot of junk floating around on the Internet and in the media regarding the Sony Pictures breach. Who did it? What were the motives? These are all being violently discussed in the Twitter-sphere and elsewhere, and if you happen to read the articles and blogs being churned out by the media your head is probably spinning right now.<br />While I don't think we (the public) generally know enough to be able to talk about the breach with any certainty yet - and perhaps we never will - there is an critical point here which I think is being missed.<br /><br />What is the lesson the public should take away from the breach, and subsequent consequences?<br /><br /><a name='more'></a>Why nearly everyone has focused on the circus surrounding the breach itself - including the celebrity dirty laundry going public, un-released movies being leaked to bit torrent download sites, and the truckload of <b>everything you never want to get out</b>&nbsp;that's been dumped to the Internet - there is very little focus being given to the thing (<i>or things</i>) that we should all be taking away from this breach.<br /><br />By now everyone should agree breaches are inevitable, and continuing to pour money into the black hole that is <i>prevention</i>&nbsp;is ridiculous. Let me be clear, I'm not saying to spend <i>nothing on prevention</i>, I'm simply pointing out the continuing folly of pouring ever more money and resources into prevention which we <b>know</b>&nbsp;will fail. So this can't be the lesson.<br /><br />We all also know that segmentation of duties, data and processes should be a key point in <b>every</b>&nbsp;security program. We've been learning this lesson for almost 20 years now - and I can't help but feel that this push to an even faster delivery of IT services has made segmentation and segregation a near impossibility in &nbsp;many large enterprises. I've watched CISOs try to leverage tools, network architectures, system re-designs and even cloud services -- much in vain as the result is data, processes and duties of all levels of risk end up in a big free-for-all. So, again, this isn't the lesson to learn.<br /><br />Should the lesson be that we much not poke the bear? I mean, let's face it, if you look at this objectively outside the limited American viewpoint - Sony Pictures did antagonize North Korea quite a bit. Then again, recent information &nbsp;made public by the Federal Bureau of Investigation (FBI) has indicated that North &nbsp;Korea was in fact not the perpetrator of this breach. So maybe poking the bear isn't the problem, and anyway this is a lesson we as humans should learn in Kindergarten not in the corporate world.<br /><br />So if you're still reading then like me you may be searching for a <i>so what?</i>&nbsp;moment. And to be honest, I am struggling to &nbsp;provide one. So maybe it's not <b>one thing</b>&nbsp;that we need to learn but a much bigger set of things together. Maybe it's a lesson in humility, communications, planning, execution, operational efficiency, and crisis response all rolled into a heaping pile pushed down the hill and lit on fire. Maybe the bigger lesson we need to learn is that it's not one thing that we need to get right - but rather all of them have to just work well together, and be planned, practiced and tuned.<br /><br />I seriously doubt anyone out there is planning and practicing for the kind of disaster Sony Pictures is facing right now. If <b>every single piece of intellectual and secret property</b>&nbsp;(including employee records, confidential communications, financials of all kinds, and more) you have was made public - where would you start to recover? Getting your IT systems back online is a good start, but that doesn't mean you can recover your business when your employees, partners, vendors, and customers are banging on your door demanding answers and action.<br /><br />Maybe that's it then, maybe the lesson is that you can't always package up a lesson learned neatly with a bow based on someone's catastrophic incident. I think it's clear we all can be set ablaze in this manner. If it's not then it should be. So the question I pose to you is this - what's your take-away from the Sony &nbsp;Pictures catastrophe?<br /><br />As a side note, many people and articles have taken to calling this an "<b>unprecedented</b>" breach. I am inclined to agree but not for the technical reasons that are being rattled off. It's not because the method of attack was novel, or that there was likely an insider, or even the quantity and quality of the assets that were stolen - or heck even that everything is being made public in an embarrassment to the company. No I think this is unprecedented because we're seeing company executives apologizing to political leaders, civil rights activists fanning race-war flames with some of the email content published, and as one article put it "Sony is a pariah in Hollywood" right now. Folks - that's not good. This is a meltdown of a brutal nature the likes I don't believe we've seen before. This is a PR catastrophe.<br /><br />As always, I'm interested in your thoughts... leave a comment, or hit me on Twitter.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/dLJ4f1xPeqU" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/12/sony-pictures-lessons-from-real-worst.htmltag:blogger.com,1999:blog-7288550196015472186.post-42284136449429826802014-12-02T22:23:00.000-06:002014-12-03T11:35:44.477-06:00Is Bigger Budget an Adequate Measure of Security Efficacy?Bigger budgets - the envy of security professionals and the scourge of CISOs the world over. While we'd all like bigger budgets to make security better within our organizations, getting more money to spend isn't necessarily a harbinger of goodness to come.<br /><div><br /><a name='more'></a></div><div>Earlier a fantastic conversation broke out on Twitter, where else, and it started with <a href="https://twitter.com/sawaba/status/539979176267513857" target="_blank">this tweet from Tony Vargas retweeted by Adrian Sanabria</a>:</div><div><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-5aXqgENM4uA/VH6Qez6-AwI/AAAAAAAAH3Q/dbxOmU0ELW4/s1600/sawaba_tweet1.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-5aXqgENM4uA/VH6Qez6-AwI/AAAAAAAAH3Q/dbxOmU0ELW4/s1600/sawaba_tweet1.tiff" height="211" width="400" /></a></div><br /></div><div class="separator" style="clear: both; text-align: center;"></div><div><br /></div><div>The conversation got a little snarky about how throwing money at a problem clearly doesn't indicate that it'll get any more attention or be any closer to being&nbsp;<i>solved</i>. I then made a comment about the American budget and how spending more isn't really helping there - OK that's a stretch but the parallels are clear, I think.</div><div><br /></div><div><a href="https://twitter.com/stavvmc/status/539982521879244800" target="_blank">Stephen Coplan made an interesting point</a> which I've seen made many, many times - but I believe it to be false:</div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-zl7fXN_Eo44/VH6LG7XJ7jI/AAAAAAAAH24/Vac0eeErcdc/s1600/Stephen_Coplan_tweet1.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-zl7fXN_Eo44/VH6LG7XJ7jI/AAAAAAAAH24/Vac0eeErcdc/s1600/Stephen_Coplan_tweet1.tiff" height="181" width="400" /></a></div><div class="separator" style="clear: both; text-align: left;"><i>*point of clarification - Stephen pointed out that he's not implying more money equals more efficacy, and I don't intend to represent his comments as such.</i></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">I personally do not believe a bigger budget means anything specifically, so to equate higher budget with more relevance- I believe that to be false. I have personally witnessed <i>first-hand</i>&nbsp;how organizations take budget increases to spend wildly on necessary widgets, and then fail to operationalize. Security isn't about <b>spending more</b>, it never has been. In fact, the rapid increase in spending generally means that something went <i>publicly wrong</i>&nbsp;and the budget-holders are trying to make a <i>public display</i>&nbsp;of their sensitivity to fix the issues. Unfortunately all too often these are simply that - public displays with little follow-through.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">I believe that rather than focus on how much more <b>money</b>&nbsp;an organization spends as a measure of their seriousness of addressing security issue, we should be focusing on <b>resources</b>. You see, resources is inclusive of everything necessary including the critical people aspect as well as the widgets and gadgets that come in 1U rack-mountable formats to address the issues. Better security comes from better training of existing resources, more executive backing, better communications, and more operational support. Better security comes from a shift in culture, and a willingness by security professionals to reach to the business side and align better to goals and needs, and the business folks making a concerted and serious effort to understand that security issues and breaches aren't just web site defacements anymore.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Security (or rather the criminal aspect of the game) is big business with highly industrialized and specialized trades and vertical markets. Addressing security as a technology problem will lead to more breaches, more lost revenue, productivity, shareholder value and trade secrets to name a few of the obvious. Security isn't a "their problem" anymore, in fact it never has been.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">If you're at all paying attention to the absolute worst-case scenario that Sony Pictures is living through right now (<a href="http://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.html" target="_blank">Steve Ragan at CSO</a> is churning out an excellent series on the matter, I highly recommend you give it a read) you are becoming painfully aware that we're past business disruption, web site defacements and DDoS. We're into <b>business destruction</b>&nbsp;of the kind that has the potential to cost a company hundreds of millions of dollars not just today, but for <i>years to come</i>.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">What will it take for companies to take security seriously, and how will we measure that jump? I don't think the upward delta in budget size is the only indicator here. I believe we need to look at the overall resource allocation to understand whether security is being addressed as a cultural issue in the company, or whether we're just given more capital to buy shiny widgets with.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">In the end, <a href="https://twitter.com/caseyjohnellis/status/539987319076319232" target="_blank">Casey John Ellis had the tweet</a> that made our point eloquently. I think he said it best when it comes to the ability to "buy more stuff" for CISOs, in relation to that making a positive program-level impact on the organization-</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ipbKcqzW9MM/VH6OxJGqCFI/AAAAAAAAH3E/OObxijBvwR0/s1600/CaseyJohnEllis_tweet1.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ipbKcqzW9MM/VH6OxJGqCFI/AAAAAAAAH3E/OObxijBvwR0/s1600/CaseyJohnEllis_tweet1.tiff" height="213" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">...and this, my friends, about sums up my feelings on the matter.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/7aGqGmq2r-c" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/12/is-bigger-budget-adequate-measure-of.htmltag:blogger.com,1999:blog-7288550196015472186.post-10865208970322912312014-12-01T07:30:00.000-06:002014-12-03T13:02:40.012-06:00When Your Marquee Client Gets HackedThere are people who will tell you that <b>all PR</b>&nbsp;is good PR. In my years in security I have seen both sides of that debate true. Lately though, particularly for security companies who are selling into the enterprise - this may be a double-edged sword that cuts deep.<br /><br />Look at any reputable (and some not-so-much) security vendor's website and you'll notice there's always a page that gives you all the different logos of the companies who use their products. Most times the vendor pays dearly for that either through deep discounts, or some other concessions just to be able to use the reference. Generally this works to the vendor's advantage because seeing Vendor X used by your peers means that perhaps it's a good idea to give them a look.<br /><br />Except, maybe, when those peers are getting hammered for being a data breach victim.<br /><br /><a name='more'></a><br />This has happened a few times recently with vendors touting big names as marquee clients- then the marquee client suffers a massive data breach. Interestingly enough, some sales people still use the fact that the client had the product running in their environment to push the sales agenda, but I don't think this is the approach they want.<br /><br />Think about it.<br /><br />Your big client gets hit while they're being hailed as using your product or service. Are you sure you want to claim victory? Most of these aren't little incidents, but rather the kinds of breaches that make lawyers cry.<br /><br />There are two ways this presents itself-<br /><br />First, your product or service supports either the defense, detection, response or recovery from the attack and subsequent breach. This bodes well, generally. If the organization made the investment in your product or service and you helped them decrease the amount of pain they and their customers have to go through - you win.<br /><br />Second, your product was a bystander - neither helping nor hurting. This is where things get a little sketchy. Maybe you were sold the "SQL Injection Prevent-o-Matic" but your big e-commerce site was thoroughly ransacked using SQL Injection. There are two sub-plots that you can follow...<br /><br />If your product or service detected or <i>could have prevented, detected, or helped respond/recover from the attack</i>&nbsp;but no one operationalized your product or service - <b>you're in trouble</b>.<br /><br />Alternatively, if your product or service completely missed the attack and <i>didn't provide value</i> - <b>you're in trouble.</b><br /><b><br /></b>I've watched companies present marquee customers all the time with little regard for what that means to their corporate brand. "<i>This company just got hacked, true, but our product was right there telling them that they were getting hacked! If only they listened to our amazing product!</i>" is perhaps the worst marketing pitch, ever. You know why? Because you're demonstrating that even though your product <b>could</b>&nbsp;do amazing things for your clients, your failure to teach your clients how to operationalize and be effective with your product at best makes the whole thing a bad investment. At very worse, it makes your product or service crap.<br /><br />This is why I marvel when I hear that claim made - "<i>They bought our stuff, if only they had used it properly...</i>". It makes me crazy because you're taking a backhanded swipe at your client <b>all while</b>&nbsp;making a clear statement that you were part of the failure.<br /><br />Folks security kit isn't magic. You don't claim victory by having it dropped off at your dock, or even having it in-line and blinking in your racks. Heck you don't even get credit if the console is up on someones screen. Only when it's <b>fully operationalized</b>&nbsp;do you get to claim credit, in a positive way.<br /><br />Repeat after me - <b>fully operationalized</b>&nbsp;is how we claim success. I can't stress this enough. It's baffling that vendor and enterprise alike aren't fully getting this in wide adoption. Owning a Formula 1 car doesn't make a winning Formula 1 team. A good pit crew, managers, lots of practice, operational mechanics, management, a driver and good telemetry are just the start of it. Once you get all of the parts together you have to work out bugs until the whole thing is near-perfect. Then you push harder. That's how you operationalize security - otherwise you've failed.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/7ERHKrVaFnE" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/12/when-your-marquis-client-gets-hacked.htmltag:blogger.com,1999:blog-7288550196015472186.post-59435139039115911302014-11-26T08:30:00.000-06:002014-11-26T15:09:55.995-06:00The Absolute Worst Case - 2 Examples of Security's Black SwansYou know that saying "<i>It just got real</i>"? If you're an employee of Sony Pictures - it just got real. In a very, very bad way. There are reports that the <b>entire Sony Pictures</b>&nbsp;infrastructure is down, computer, network, VPN and all - and that there isn't an ETR on target.<br /><br />There are reports that there is highly sensitive information being held for "ransom", if you can call it that, by that attackers. There is even some reporting that someone representing the attackers has contacted the tech media and disclosed that the way they were able to infiltrate so completely was <i>through insider help</i>. In other words, the barbarians were literally inside the castle walls.<br /><br /><a name='more'></a><br />If you work in enterprise security I don't need to explain to you how bad this is, or how thoroughly this type of compromise breaks every single contingency plan most companies (outside the government, defense space) have in place. This compromise, an "<i>IT matter</i>" as Sony Pictures' PR calls it, is epic levels of bad.<br /><br />Definition of Black Swan event, for clarity:<br /><blockquote class="tr_bq">"<i>The black swan theory or theory of black swan events is a metaphor that describes an event that comes as a surprise, has a major effect, and is often inappropriately rationalized after the fact with the benefit of hindsight.</i>"</blockquote>--Source: Wikipedia--&nbsp;<a href="https://en.wikipedia.org/wiki/Black_swan_theory">https://en.wikipedia.org/wiki/Black_swan_theory</a><br /><br />You can read some fantastic reporting on the issue here:<br /><br /><ul><li><a href="https://www.twitter.com/steved3" target="_blank">Steve Ragan</a> - Salted Hash at CSO Magazine online:</li><ul><li><a href="http://www.csoonline.com/article/2851853/cyber-attacks-espionage/report-sony-pictures-facing-full-network-compromise.html">http://www.csoonline.com/article/2851853/cyber-attacks-espionage/report-sony-pictures-facing-full-network-compromise.html</a></li><li><a href="http://www.csoonline.com/article/2851649/physical-security/hackers-suggest-they-had-physical-access-during-attack-on-sony-pictures.html">http://www.csoonline.com/article/2851649/physical-security/hackers-suggest-they-had-physical-access-during-attack-on-sony-pictures.html</a></li></ul><li>Nicole Perlroth - <a href="https://www.twitter.com/nytimesbits" target="_blank">BITS</a> on the New York Times blog:</li><ul><li><a href="http://bits.blogs.nytimes.com/2014/11/25/sony-pictures-computers-down-for-a-second-day-after-network-breach/">http://bits.blogs.nytimes.com/2014/11/25/sony-pictures-computers-down-for-a-second-day-after-network-breach/</a></li></ul><li>The Verge's <a href="https://twitter.com/jake_k" target="_blank">Jacob Karesnakes</a> &amp; Russell Brandom</li><ul><li><a href="http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in">http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in</a></li></ul></ul>Although I truly do not envy those poor souls in Enterprise Security over at Sony Pictures, it's the broader implications of this kind of attack that seriously concern me. This isn't the first time we've seen this type of attack - where the attackers had complete and total access (allegedly) into the infrastructure of the enterprise. It won't be the last time. So can we learn something here, and take it with us going forward? I think we can, if we're willing to pay attention.<br /><br />I'd like to pose a few hypothetical scenarios here, given the lesson we're learning again from this unfortunate case- and what can or should be done to avoid being, to put it mildly, <i>thoroughly screwed</i>.<br /><br /><b>Case- Insider Threat / Rogue Insider</b><br />Insider threats are the stuff of myth in much of enterprise security. We hear a lot about how dangerous they <i>can be</i>&nbsp;but it's rare that someone actually comes forward with a first-hand account. If this incident is truly an insider threat (rogue employee, aiding an outside attacker) then it will be a case used for years to illustrate the point.<br /><br />Insiders hold a special place in the nightmares of enterprise security professionals. Mostly because much of our defenses are positioned at our borders so when someone who has access and is a <i>trusted insider</i>&nbsp;goes rogue we have very little recourse. This is the continuing problem we see as defenders - the M&amp;Ms paradigm. Hard outer shell, soft chewy middle.<br /><br />A lifetime ago when I was leading up enterprise security engineering our team had discussions about how we were going to protect ourselves against this type of threat. We knew we had malicious insiders in many places with deep access and deeper pockets - so rooting them out wasn't going to work. If you can't <i>keep them out</i>&nbsp;then what's the next line of prevention? Maybe it's a little bit of 1990's technology like segmentation of network assets, separation of duties, and tight identity and access management controls. Further that, we profile people's behaviors and look to build operational baselines - I know this is much easier said than done, no need to repeat.<br /><br />So what happens when prevention fails, often catastrophically and publicly? We turn to detection and response. Failure to prevent isn't failure, it's a fail in the kill chain, forcing us to move to the next step down. Detection, swiftly and silently, is the next big key. Again, if you don't know what <i>normal </i>looks like you will never know what <i>abnormal deviation</i>&nbsp;is, I hope that's intuitive. I've never known an attacker that gets caught by an IPS signature - mainly because there is no such thing. So again, what does detection look like? I think it comes down to detecting deviations (even if they're subtle) in behavioral patterns of humans and/or systems. I don't think you need to spend a million dollars to do it. Maybe it's enough to use Marcus Ranum's "never-seen-before" idea. Take key assets, and build access tables for who accesses, how frequently, and when. Then look for net-new access (even if it's legal/allowed) and investigate. Sure, you may technically have access to that HR share, but you really shouldn't be accessing it, and under normal conditions you wouldn't.<br /><br />But what if the things you're stealing as an insider threat are the things you work with and have access to every day. Well, then we focus on exfiltration (deeper down the kill chain). How does it leave your environment? Can you prevent people from taking data out of your network, or at least catch them when they try? I'm fairly confident the answer is no if it's just a general question - but if you can identify and tag at some meta-level things that are critical, really critical, to your organization maybe you can find when it's trying to leave the infrastructure without permission? I don't know the answer here mainly because one answer isn't going to solve all of the problems out there, and it's a "<i>well, it depends</i>" answer based on your company profile.<br /><br />I can tell you this though, insider threats are models for using kill chain analysis.<br /><br />Recovering from an insider is a little more difficult, particularly when you don't know <b>who</b>&nbsp;they are. Insiders can burrow deep, and stay hidden for a long time - sometimes going completely undiscovered. This means that if you're fairly sure you've been compromised by a malicious insider, but can't identify the attacker, you're in for a rough go at trying to figure out what state to restore to. Do you restore your network/infrastructure to 2 days ago? 2 weeks ago? 2 months ago? The answer is uncertain until you find and profile the attacker. Once you do, you're likely to discover that you can't trust much of your infrastructure telemetry if the attacker was well-hidden. Covering their tracks is something "advanced" adversaries are good at.<br /><br />The things to think about here are two-fold. First - you need to identify and attribute the attack to someone, or a group. Post-haste. Yesterday speeds. You need to know who they are, so you can start tracing their steps and figure out what they did, when they did it, and the extent of the potential damage. If you can't figure this out quickly, getting the infrastructure to a working state may not do you any good because it could still be compromised in that state, or could leave you open to another run at compromised further down the line when you believe you've removed the threat.<br /><br />Second, you need to restore services and bring back the business. Today many companies simply cease to exist without IT. If you want to degrade or destroy a company - take away their ability to network and communicate. The battle of service restoration versus security analysis will be bitter, and &nbsp;you'll probably lose as the CISO. Restore services, and figure out what's going on, maybe in parallel, maybe not - but that first step is almost universal with the notable exception of a few industry segments where being secured is as critical as being online.<br /><br /><br /><b>Case- Compromised Core Infrastructure</b><br />Nothing says you're about to have a bad day like the source of a major attack on your enterprise coming through your endpoint management infrastructure. This starts to feel a lot like an insider threat - although it doesn't necessarily have to be. I can't even imagine the horror of finding out that your endpoint patching and software delivery platform has been re-purposed to deliver malware to all of your endpoints and that it has been the focal point of your adversary's operations. If you can't trust your core infrastructure - what can you trust?<br /><br />Perhaps trust is the wrong way to look at it, as my friend <a href="https://twitter.com/SteveD3/status/537441876866244608" target="_blank">Steve Ragan pointed out</a>. So what then?<br /><br />Within the enterprise framework there has to be <i>some piece of infrastructure</i>&nbsp;that is trusted. Maybe it's a system that stays physically offline (off?) until it's critically needed with alternate credentials and operational parameters. Maybe it's a recovery platform that you have a known-good hash of so that you can quickly validate you're working with the genuine article. Maybe it's something else, but you have to have something to trust.<br /><br />If you have a compromised core infrastructure, I think you're looking at one of two options. Option A is restoring your systems to a questionable state (but not obviously compromised and usable) and working backwards to find the intruder. Option B is closing everything down and re-deploying everything and starting from scratch. Option B may very well sound like the more security-sound option until you factor in the actual data. Nothing says your data can't be compromised...it's not just about windows credentials. Maybe some of your company's top-secret documents are PDFs. Maybe the attacker was clever and trojaned all of your PDFs such that as soon as one is opened, the compromise starts all over again.<br /><br />I seriously doubt that would be detected because it's likely custom-written code and won't pop up on all but the most sophisticated (dare I say "next ten") detection tools.<br /><br />My suggestion here? Start with the inner-most critical components of your infrastructure, audit and reset credentials and work your way out in concentric rings until you start to get to components which you can actually get by without. This exercise should keep your operations teams busy for a while, and you can maybe even get a parallel incident response investigation going in the mean time. On the plus side, this gives you a tiny window within which to start to build things better from the ashes. Or maybe not since you'll be going at light speed plus 1mph. This is, however, the only advice that makes sense. It's also the only advice I can give you that I have actually tried myself - and as painful as it sounds, believe me when I say that in real life it's significantly worse.<br /><br /><br />Before this post gets to long (<i>or have we long crossed that bridge?</i>) I think it's safe to say that very few of you reading this post are operationally prepared to handle this type of incident where you've either got a malicious insider who has gone undetected and wreaked utter chaos, or a compromised core infrastructure by an outsider - or both if you're won the crap lottery. That's a problem because this is our black swan. This is our version of planes with hijackers flying into buildings. We know it's a possibility, but none of us have the resources to do prepare, and let's face it - <i>we have bigger problems</i>. Except that these incidents are real. And the Black Swan is real. It happens. Now what?<br /><br />Does this adjust your world view, or risk model for your organization somehow? If so, in what way? Will you start taking the insider threat more seriously as a result? Why or why not... and how? By my unscientific calculation there are probably .05% of companies out there who have the capital and the resources to pull off recovering from one of these Black Swan events, with anything even resembling success. The rest of us in the enterprise? What do we do when the worst-case happens?<br /><br />I'm curious on how you see things. Leave a comment here, or take the conversation to Twitter with the hashtag #DtSR - let's talk about it. I think we can learn something from the horrendous situation Sony Pictures is living right now - let's not waste a teachable moment for everyone, collectively, to get even a tiny bit better.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/gPNByMYPujQ" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/11/the-absolute-worst-case-2-examples-of.htmltag:blogger.com,1999:blog-7288550196015472186.post-56886809018527327182014-11-05T23:40:00.001-06:002014-11-07T21:29:38.531-06:00SIEM 3.0 - Continuing to Deliver on Failed PromisesSIEM - <a href="https://en.wikipedia.org/wiki/Security_information_and_event_management" target="_blank">Security Information and Event Management</a> - has been a product for many, many years now and virtually every organization out there has bought into the promise of what SIEM will bring. Since the term was coined in 2005, the security industry has largely struggled to deliver on all the promises the product family made.<br /><br /><a name='more'></a><br /><h3>Bring on the Blame</h3>- We can blame <b>marketing professionals</b> who over-hyped the capabilities and wowed buyers with their mastery of buzzwords.<br />- We can blame the <b>product managers</b> for failing to build coherent features and functionality were based on anything resembling actual use-cases.<br />- We can blame <b>user&nbsp;interface designers</b>&nbsp;for making products it takes a 40hr course to understand, and a 1,000 page tome to utilize.<br />- We can blame <b>sales executives</b> for pushing products as <i>solutions</i>&nbsp;when most enterprises simply weren't ready to divert resources into implementation of yet another security project.<br />- We can blame <b>sales engineers</b>&nbsp;for convincing enterprise security professionals a that a few carefully planned demo scripts could be practically implemented in their environment with any success.<br />- We can blame <b>CISOs</b>&nbsp;for failing to have a salient security strategy and instead chasing "<i>shiny objects</i>".<br />- We can blame <b>security professionals</b>&nbsp;for having no grasp of use-cases, or even bothering to fully operationalize one product before moving on to the next like a child with ADHD.<br /><br />You see, the reality is I think everyone is equally culpable for the state of enterprise security right now. Specifically looking at SIEM, the hysteria has long gone over the back-side of the hype curve so we're forced to create new curves to go over.<br /><br /><h3><b>Up, Up, and Up Some More</b></h3>It's like a repetitive cycle, with only one small problem. If we keep setting new and higher expectations through hype after first failing to meet previous expectations it sets the whole thing up for a monumental fall - eventually. You see, we haven't yet fallen down the back-side of the hype curve...not totally. Every time we do someone invents another term.<br /><br />Case in point, "<b>SIEM 2.0</b>" and associated silliness. Why did we need the term SIEM 2.0? I honestly didn't know what it meant so I asked a few people whose business it was to build, sell, or operationalize SIEM. The answer I heard the most often was this:<br /><blockquote class="tr_bq">"<i>SIEM 2.0 is another attempt at SIEM. The first time we barely got the log aggregation. This time we're going to try and achieve correlation.</i>"</blockquote>Mind. Exploded.<br /><br />So if I understand this, SIEM 2.0 is a term created because SIEM has miserably failed to deliver value, based on what it was sold as. Am I getting this right?<br /><br />At this point, the hype knob goes to 12. I've heard a SIEM can be leveraged to detect fraud, APTs, botnets, malicious insiders, and behavioral anomalies. SIEMs are local appliances, virtual images, cloud-based, and of course leverage "big data". SIEMs feature log collection, aggregation, correlation, analysis and custom rules development. Did I miss anything?<br /><br /><h3>Analysts, Leaders, Visionaries, and Execution</h3><div>What really boils my bunny is every time one of these mystic quadrants shows up I sit and scratch my head and wonder how these things are done. Clearly the <i>analysts</i>&nbsp;haven't talked to any real users of the products because they would hear the same things I do - disappointment, anger, and disillusionment.</div><div><br /></div><div>What separates a leader from a visionary? The ability to execute? And if that's true - how do we define <b>successful</b>&nbsp;execution? What test-cases are we using and who gets to determine succeed or fail?</div><div><br /></div><div>Completeness of vision is great, but failure to execute makes that worthless. On the the other side of that coin, execution is brilliant unless you're executing on dated and undesirable features. Where do we factor in the success KPIs?</div><div><br /></div><div>The security professionals and executives I talk to have a clear emphasis on execution. Make it work. Make it do what it's supposed to do. Make it relatively operational with minimum additional resources, since that's the point after all isn't it?</div><div><br /></div><div>Actually that's an interesting point - what does the enterprise security professional expect from their SIEM product? What are the use-cases that are most useful to the broadest enterprise community? What features and functions could we simply throw away without anyone noticing - because no one uses them?</div><div><br /></div><div>Does being a leader mean you are telling your customers and end-users what they should be doing? Or is that the role of the visionary? Who is really driving this bus?</div><div><br /></div><h3>On Point</h3><div>So let me close this post out with a proposal. How about we start over, again, for the first time. Let's call it SIEM 3.0, or Next-Gen SIEM, or SIEM Type-R (R for reinvented). I don't care what you call it, but let's start by getting together some focus groups of enterprises large and small. Let's get them talking, building use-cases and then let's define products, services and operational strategy around that. Once you've got the thing going, let's talk about maintenance, management, and operationalizing the thing so that the number of systems submitting logs doesn't mysteriously drop over time, or the blinking alerts don't go un-noticed or un-actioned.</div><div><br /></div><div>Maybe once we get past all the failed promises, we can start to develop real and useful tools that help security rather than hinder it. It's clear to me that <b>enterprise security professionals spend way too much time fighting the technology that's supposedly helping them</b>, which leaves little time to fight the actual bad guys. Security suffers from an operational problem, not a tools problem. The tools are there, just the operational processes and methodologies are missing, poorly developed, or just plain broken.</div><div><br /></div><div>This thought needs further development - but this has been bugging me long enough so that I finally had to sit down and write it out. I hope you found some useful points amongst the ranting.</div><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/_wUM2ZH9HKg" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com1http://blog.wh1t3rabbit.net/2014/11/siem-30-continuing-to-deliver-on-failed.htmltag:blogger.com,1999:blog-7288550196015472186.post-63722288739052595452014-10-31T22:13:00.000-05:002014-10-31T22:13:29.884-05:00Having Fun with Password Self-Rest MechanismsYou know what makes me crazy? Security people who don't understand how crappy attempts to push security policy actually drive security (in the real world) lower. Sometimes, and this makes it a little bit less bad, it's not security people that are responsible but well-meaning developers, project managers, or others who simply don't understand.<br /><br />The quintessential example of this phenomena is the password self-service reset functionality built into many websites. It's almost 2015 and I was forced to register for a website the other day where I can't really tell you <i>why</i>&nbsp;they needed me to set up a username and password, but I couldn't do what I needed to without that unfortunate string of events that all but guaranteed that I would be upset.<br /><br /><a name='more'></a><br />First is that nagging feeling that this site is going to get hacked, or already has been. You know the one. As a security professional (<i>or often just someone with some sense</i>) you pull up a website which just screams "We took zero security precautions because we know nothing about web development (while using the <blink> tag)" - and suddenly you realize you almost have to give this site some of your personal information. Lovely.</blink><br /><br />Then there's that feeling that <b>when this site gets hacked</b>&nbsp;there's very little you can do because they're going to need at least some of your info. You get through registration and you can't continue without setting up those "password self reset questions" so many sites are <b>in-famous</b> for. Genius questions which no one could ever find out about you like ... "Where did you go to high school?" or "What is your favorite color?" or "What is your favorite food?". Brilliant stuff like that. But sometimes they give you a choice of 5 different ones (all of which stink) and you have to pick 3. In this case I had to do this exact thing but the questions were infuriating. One of them asked for my mother's maiden name, another for my high school best friend, and another for the last 4 digits of my favorite credit card (seriously?!).<br /><br />So I picked the ones that I knew were the least destructive (when spilled all over the Internets) and right before I clicked <b>Next</b>&nbsp;I thought of something. Why in the world am I giving them the real answers? I have a password manager which will remember these for me, and my password incidentally, so why not get creative?<br /><br />So here's my advice to you - get creative!<br /><br />Your favorite color? peanuts<br />Your first car? Orange<br />Your best friend in High School? Polar Bear<br /><br />See this way when someone pillages the website's database of all that clear-text "<b>security stuff</b>" at least the data they steal won't be usable against you at some other website. Also, use per-website passwords. I have to be honest, at this point if you're not using a password manager with built-in password generator for even the most basic websites - you deserve what's comin' to you.<br /><br />Good luck!<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/sWVhJR_tpk0" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com1http://blog.wh1t3rabbit.net/2014/10/having-fun-with-password-self-rest.htmltag:blogger.com,1999:blog-7288550196015472186.post-48587068185570864162014-10-21T17:46:00.000-05:002014-10-24T13:15:21.260-05:00The Other Side of Breach HysteriaIn a world where <i>everyone</i> is trying to sell you <i>something</i>, security is certainly no exception. But separating the hype from the truth can easily turn into a full time job if you're not careful.<br /><br />With all the recent retail data breaches, it would appear as though the sky is falling in large chunks right on top of us. Every big-name retailer, and even some of the smaller ones, are being hacked and their precious card data is bring whisked away to be sold to miscreants and criminals.<br /><br />Now enter the sales and marketing pitches. After every breach it would seem our mailboxes fill up with subject lines such as-<br /><blockquote class="tr_bq">"<i>Learn how not to be the next <insert breach="" here="" recent="" victim="">, read how our latest gizmo will keep you secure!</insert></i>"</blockquote>I don't know about you, but the snake-oil pitch is starting to get old. While it's clear that the average buyer is getting the message about data breaches and hackers - I believe there are two other aspects of this which aren't talked about enough.<br /><br /><a name='more'></a>First there is the notion of "breach fatigue". If you read the news headlines you would have thought that everyone's bank accounts would be empty by now, and everyone in the United States would have been the victim of identity theft by now. But they haven't. Or they haven't been impacted directly. This leads to the Chicken Little problem.<br /><br />You see, many security professionals cried that security incidents did not receive enough attention. Then the media took notice, and sensationalized the heck out of incidents to an almost rock-star fervor. The issue here is that I believe people are starting to grow weary of the "Oh no! Hackers are going to steal everything I have!" talk. Every incident is the biggest there has ever been. Every incident is hackers pillaging and stealing countless credit card records and identities. The average person doesn't quite know what to make of this, so they have no choice but to mentally assume the worst. Then - over time - the worst never comes. Sure, some get impacted directly but there is this thing called zero fraud liability (in the case of card fraud) that means they are impacted - but barely enough to notice because their banks make it alright. <i>More on this in a minute</i>.<br /><br />We as humans have a shocking ability to develop a tolerance to almost anything. Data breach hysteria is no exception. I've now seen and heard people around televisions (at airports, for example, where I happen to be rather frequently) say things like "Oh well, more hackers, I keep hearing about these hackers and it never seems to make a difference." Make no mistake, this is bad.<br /><br />You see, the other side of the awareness hill, which we are rapidly approaching, is apathy. This is the kind of apathy that is difficult to recover from because we push through the first wave of apathy into awareness, and then hysteria, which leads to a much stronger version of apathy where we will be stuck - I believe. So there we are, stuck.<br /><br />If I'm honest, I'm sick and tired of all the hype surrounding data breaches. They happen every day of every week, and yet we keep acting like we're shocked that Retailer X, or Company Y was breached. Why are we still even shocked? Many are starting to lose the ability to become shocked - even though the numbers of records breached and scale of the intrusions is reaching absurd proportions.<br /><br />Second point I'd like to make is around the notion of individual impact. Many people simply say that "<i>this still doesn't impact me</i>" because of a wonderful thing like <b>zero fraud liability</b>. Those 3 words have single-handedly destroyed the common person's ability to care about their credit card being stolen. After you've had your card cloned, or stolen online and had charges show up - you panic. Once you realize your bank has been kind enough to put the funds back, or roll-back the fraudulent charges you realize you have a safety net. Now these horrible, terrible, catastrophic breaches aren't so horrible, terrible and catastrophic. <i>Now they're the bank's problem</i>.<br /><br />Every time someone has a case of credit card fraud the bank covers under zero fraud liability (and let's face it, most cards and banks have this today) - their level of apathy for these mega-breaches grows. I believe this is true. I also believe there is little we can do about it. Actually, I'm not sure if there is anything that needs to be done about it. Maybe things are just the way they're going to be.<br /><br />There is a great phrase someone once used that I'm going to paraphrase and borrow here - <b>things are as bad as the free market will support</b>. If I may adapt this to security - <b>the security of your organization is as good (or bad) as your business and your customers will support</b>.<br /><br />Think about that.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/SUvWOi7jSZ0" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com1http://blog.wh1t3rabbit.net/2014/10/the-other-side-of-breach-hysteria.htmltag:blogger.com,1999:blog-7288550196015472186.post-67792902472119622642014-10-11T10:30:00.000-05:002014-10-11T10:30:01.161-05:00Security Lessons from Complex, Dynamic EnvironmentsSecurity is hard.<br /><br />Check that- security is relatively hard in static environments, but when you take on a dynamic company environment security becomes unpossible. I'm injecting a bit of humor here because you're going to need a chuckle before you read this.<br /><br />Some of us in the security industry live in what's referred to as a static environment. Low rate of change (low entropy) means that you can implement a security control or measure and leave it there, knowing that it'll be just as effective today as tomorrow or the day after. Of course, this takes into account the rate at which effectiveness of security tools degrades, and understanding whether things were effective in the first place. It also means that you don't have to worry about things like a new system showing up on the network very often or a new route to the Internet. And when these do happen, you can be relatively sure something is wrong.<br /><br />Early on in my career I worked for a technical recruiting firm. Computers were just a tool and companies having websites was a novelty. The ancient <a href="https://en.wikipedia.org/wiki/NetWare" target="_blank">Novell NetWare 3.11</a> systems had not seen a reboot in literally half a decade but nothing was broken so everything just kept running and slowly accumulating inches of dust in the back room. When I worked there we modernized to NT 3.51 (<i>don't laugh, I'm dating myself here</i>) and built an IIS-based web page for external consumption. That place was a low entropy environment. We changed out server equipment never, and workstations every 5 years. If all of a sudden something new showed up in the 30 node network, I'd immediately suspect something was amiss. At the time, nothing that exciting ever happened.<br /><br />Fast forward a few years and I'm working for a financial start-up. It's the early 2000's and this company is the polar opposite of a static company. We have at least 1 new server coming online a day, typically 5-10 new IP addresses showing up that no one can identify. We get by because we have one thing going for us. That one thing is the on-ramp to the Internet. We have a single T1 which connects us to the rest of the world. We drop a firewall and an IDS (I think we used an early SNORT version, maybe, plus a Sonic Wall firewall). When that changed and our employees started to go mobile and thus VPN things got a little hairy.<br /><br />Fast forward another few years and I'm working at one of the world's largest companies on arguably one of the most complex networks mankind has ever seen. Forget trying to understand or know the everything - we're struggling to keep track of the few things we DO know. Heck we spend 4 weeks NMap'ing (and accidentally causing a minor crisis, oops) our own IP subnets to find all the NT4 systems when support finally and seriously for real this time, ran out.<br /><br />Now let's look at security in the context of this article (and reported breach) - <a href="http://www.nextgov.com/cybersecurity/2014/10/dhs-attackers-hacked-critical-manufacturing-firm-months/96317/">http://www.nextgov.com/cybersecurity/2014/10/dhs-attackers-hacked-critical-manufacturing-firm-months/96317/</a>. Let me highlight a few key quotes for you-<br /><blockquote class="tr_bq">"<i>The event was complicated by the fact that the company had undergone corporate acquisitions, which introduced more network connections, and consequently a wider attack surface. The firm had more than 100 entry and exit points to the Internet.</i>"</blockquote>You may chuckle at that, but I bet you have pretty close to this at your organization. Sure, maybe the ingress/egress points <i>you control</i> are few, and well protected, but it's the ones you don't know about which will hurt you. Therein lies the big problem - the <b>disconnect between business risk and information security ("cyber") risk</b>. If information security isn't a part of the fabric of your business, and a part of the core of the business decision-making process you're going to continue to fail big, or suffer by a thousand papercuts.<br /><br />While not necessarily as sexy as that APT Defender Super Deluxe Edition v2.0 box your vendor is trying to sell you, network and system configuration management, change management and asset management are things you absolutely <i>must get right</i>, and must be involved in as a security professional for your enterprise. The alternative is you have total chaos wherein you're trying to plug each new issue as you find out about it, while the business has long forgotten about the project and has moved on. This sort of asynchronous approach is brutal in both human effort and capital expenditure.<br /><br />Now let's focus on another interesting quote from the article. Everyone like to offer advice to breach victims, as if they have any clue what they're saying. This one is a gem-<br /><blockquote class="tr_bq">"<i>Going forward, “rearchitecting the network is the best approach to ensure that the company has a consistent security posture across its wide enterprise," officials advised.</i>"</blockquote>What sort of half-baked advice is that?! Those of you who have worked incidents in your careers, have you ever told someone that the best thing to do with your super-complex network is to totally rearchitect it? How quickly would you get thrown out of a 2nd story window if you did? While this advice sounds sane to the person who's saying it - and likely has never had to follow the advice - can you imagine being given the task of completely rearchitecting a large, complex network in-place? I've seen it done. Once. And it took super-human effort, an army of consultants, more outages than I'd care to admit, and it was still cobbled together in some places for "legacy support".<br /><br />Anyway, somewhere in this was a point about how large, complex networks and dynamic environments are doomed to security failure <b>unless</b> security is elevated to the business level and becomes an executive priority. I recognize that not every company will be able to do this because it won't fit their operating and risk models - but if that's the case you have to prepare for the fallout. In the cases where risk models say security is a business-level issue you have a chance to "get it right"; this means you have to give a solid effort and align to business, and so on.<br /><br />Security is hard, folks.<br /><br /><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/w1MxpH_AgsQ" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/10/security-lessons-from-complex-dynamic.htmltag:blogger.com,1999:blog-7288550196015472186.post-12032411810787618112014-10-06T08:00:00.000-05:002014-10-06T10:26:20.146-05:00To Reform and Institutionalize Research for Public Safety (and Security)On October 3rd, 2014 a petition appeared on the Petitions.WhiteHouse.gov website titled "<a href="https://petitions.whitehouse.gov/petition/unlock-public-access-research-software-safety-through-dmca-and-cfaa-reform/DHzwhzLD" target="_blank">Unlocking public access to research on software safety through DMCA and CFAA reform</a>". I encourage you to go read the text of the petition yourself.<br /><br />While I believe that on the whole the CFAA and more urgently the DMCA need dramatic reforms if not to be flat-out dumped, I'm just not sure I'm completely on board with there this idea is going. I've discussed my displeasure for the CFAA on a few of <a href="http://podcast.wh1t3rabbit.net/dtr-featurecast-cfaa-shellshock-and-security-research-october-2nd-2014" target="_blank">our recent podcasts</a> if you follow our Down the Security Rabbithole Podcast series, and I would likely throw a party if the DMCA were repealed tomorrow - but unlocking "<i>research</i>" broadly is dangerous.<br /><br /><a name='more'></a>There is no doubt in my mind that security research is critical in exposing safety and security issues in matters that affect the greater public good. However, let's not confuse <i>legitimate research</i> with thinly veiled extortion or a license to <i>hack at will</i>. We can all remember the incident Apple had where a hacker purportedly had exposed a flaw in their online forums, then to prove his point he exploited the vulnerability and extracted data of real users. All in the name of <i>"research"</i> right? I don't think so.<br /><br />You see, what a recent conversation with <a href="https://twitter.com/shawnetuma" target="_blank">Shawn Tuma</a> has taught me is that under the CFAA we have one of these "I'll know it when I see it" conditions where a prosecuting attorney can choose to either go after someone, or look the other way if they believe they were acting in good faith and for the public good... or some such. This type of power makes me uncomfortable as it gives that prosecuting attorney way too much room. Room for what you ask? How about room to be swayed by a big corporation... I'm looking at you AT&amp;T.<br /><br />Let me lay out a scenario for you. Say you are a security professional interested in home automation and alarm systems. You purchase one, and begin to conduct <i>research</i> into the types of vulnerabilities one of these things is open to - since you'll be installing it in your home and all. You uncover some major design flaws, and maybe even a way to remotely disable the home alarm feature on thousands of units across the country. You want to notify the company, get them to fix the issue, and maybe get a little by-line credit for it. Only the company slaps a DMCA law suit on you for reverse engineering their product and you're in hot water. Clearly they have more money and attorneys than you do. Your choices are few - drop the research or face criminal prosecution. Odds are you're not even getting a choice.<br /><br />In that scenario - it's clear that reforms are needed. Crystal clear, in fact.<br /><br />The issue is we need to protect <b>legitimate research</b> from prosecutorial malfeasance while still allowing for laws to protect intellectual property and a company's security. So you see, the issue isn't as simple as <i>opening up research</i>, but much more subtle and deliberate.<br /><br />How do we limit the law and protect legitimate research, while allowing for the protections companies still deserve? I think the answer lies in how we <b>define a researcher</b>. I propose that we require researchers to declare their research and its intent and draft ethical guidelines which can be agreed upon (and enforced on both ends) between the researcher and the organization being researched. There must be rules of engagement, and rules for "responsible and coordinated disclosure". The laws must be tweaked to shield the researched with declared intent and following the rules of engagement from being prosecuted by a company which is simply trying to skirt responsibility for safety, privacy and security. Furthermore, there must be provisions for matters that affect the greater good - which companies simply cannot opt out of.<br /><br />Now, if you ask me if I believe this will happen any time soon, that's another matter entirely. Big companies will use their lobbying power to make sure this type of reform never happens, because it simply doesn't serve their self-interest. Having seen first-hand the inner workings of a large enterprise technology company - I know exactly how much profit is valued over security (or anything else, really). Profit now, and maybe no one will notice the big gaping holes later. That's just how it is in real life. But when public safety comes into play I think we will see a few major incidents where we have loss of life directly attributed to security flaws before we see any sort of reform. Of course when we do have serious incidents, they'll simply go after the hackers and shed any responsibility. That's just how these things work.<br /><br />So in closing - I think there is a lot of work to be done here. First we need to more closely define and create formal understanding of<b> security research.</b> Once we're comfortable with that, we need to refine the CFAA and maybe get rid of the DMCA - to legitimize security research into the areas that affect public safety, privacy and security.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/pR1MKCgo8Js" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/10/to-reform-and-institutionalize-research.htmltag:blogger.com,1999:blog-7288550196015472186.post-27631937363599151782014-09-24T09:30:00.000-05:002014-10-06T10:26:41.144-05:00Software Security - Hackable Even When It's SecureOn a recent call, one of the smartest technical folks I can name said something that made me reach for a notepad, to take the idea down for further development later. He was talking about why some of the systems enterprises believe are <i>secure</i> really aren't, even if they've managed to avoid some of the key issues.<br /><br />Let me explain this a little deeper, because this thought merits such a discussion.<br /><br /><a name='more'></a>Think about what you go through if you're testing a web application. I can speak to this type of activity since it was something I focused on for a significant portion of my professional career. Essentially the whole of the problem breaks down to being able to define what the word <i>secure</i> means. Many organizations that I've first-hand witnessed stand up a software security program over the years follow the standard OWASP Top 10. It's relatively easy to understand, it's fairly well maintained, and it's relatively easy to test software against. It's hard to argue with the notion that the OWASP Top 10 is not the standard for determining whether a piece of software is <i>secure</i> or not.<br /><br />Herein lies the problem. As many of you who do software security testing can testify to, without at least a structured framework (aka checklist) to go against, the testing process becomes never-ending. I don't know about you, but I've never had the luxury of taking all the time I needed, everything always needed to go live yesterday and I or my team was always the speed bump on the way to production readiness. So we first settled on making sure <b>none</b> of the OWASP Top 10 were present in software/applications we tested. Since this created an unreal amount of bugs, we narrowed scope down to just the OWASP Top 2. If we could eliminate injection and cross-site scripting the applications would be significantly more secure, and everything would be better.<br /><br />Another issue, then. After all that testing, and box-checking, when we were fairly sure the application didn't have remote file includes, cross-site scripting (XSS), SQL Injection or any of that other critical stuff - we allowed the app to go live and it quickly got hacked. The issue this caused for us was not only one of credibility, but also of confusion. How could the app not have any of those critical vulnerabilities but still get easily hacked?!<br /><br />Now back to the issue at hand.<br /><br />The fact is that even when you've managed to avoid all the common programming mistakes, and well-known vulnerabilities you can still produce a vulnerable application. Look at what <a href="https://twitter.com/TheHackersNews/status/514031825660813312/photo/1" target="_blank">EBay is going through</a> right now. Fact is, even though there may not be any XSS or SQLi in their code - they still have issues allowing people to take over accounts. Why? It's because there is more to securing an application than making sure there aren't any coding mistakes. Fully removing the OWASP Top 10 (good luck with that!) from all your code bases may make your applications more safe than they are now - but it won't make them secure. And therein lies the problem.<br /><br />When you hand your application over to someone who is going to test it for code issues like the OWASP Top 10, and only that, you're going to miss massive bugs that may still lurk in your code. Heartbleed anyone? Maybe there is a logic flaw in your code. Maybe there is a procedural mistake that allows for someone to bypass a critical security mechanism. Maybe you've forgotten to remove your QA testing user from your production code. Thing is, you may not actually know if you <i>just test it for app security issues</i> with traditional or even emerging tools. Static analysis? Nope. Dynamic analysis? Nope. Manual code review? Maybe.<br /><br />The ugly truth is that unless you have someone who not only understands what the code <i>should do</i> under normal conditions - but also what it <i>should never do</i>, you will continue to have applications with security issues. This is why automated scanners fail. This is why static analysis tools fail. This is why penetration testers can still fail - unless they're thinking outside the code and thinking in terms of application functionality and performance.<br /><br />The reality is that for those applications that simply can't easily fail - you not only need to get it tested by some brilliant security and development minds, but also by someone who understands that beautiful combination of software development, security, and application business processes and design. Someone who looks at your application and says: "You know what would be interesting?"...<br /><br />In my mind this goes a great deal to explaining why there are so many failing software security programs out there in the enterprise. We seem to be checking all the right boxes, testing for all the right things, and still coming up short. Maybe it's because the structural integrity hasn't been validated by the demolitions expert.<br /><br />Test your applications and software. Go beyond what everyone tells you to check and look deep into the business processes to understand how entire mechanisms can be abused or entirely bypassed. That's how we're going to get a step closer to having better, more safe and secure code.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/QTjIIpJqxYw" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com1http://blog.wh1t3rabbit.net/2014/09/software-security-hackable-even-when.htmltag:blogger.com,1999:blog-7288550196015472186.post-26468762265616580172014-09-05T14:47:00.002-05:002014-10-06T10:27:02.503-05:00Managing Security in a Highly Decentralized Business ModelInformation Security leadership has and will likely continue to be part politicking, part sales, part marketing, and part security. As anyone who has been a security leader or CISO in their job history can attest to, issuing edicts to the business is as easy as it is fruitless- Getting positive results in all but the most strictly regulated environments is nearly impossible. In high centralized organizations, at least, the CISO stands a chance since the organization likely has common goals, processes, and capital spending models. When you get to an organization that operates in a highly distributed and decentralized manner the task of keeping security pace grows to epic proportions.<br /><br /><a name='more'></a>As I was performing a recent ISO 27002 controls audit against one of these highly decentralized organizations the magnitude of their challenge really hit me. While the specific industry is relevant to this example I can simply say that they are in the business of making, testing and selling stuff. Parts of their business make thing. Parts of their business test things. And parts of their business sell both the things the other businesses do for various use-cases. Some of the business is heavily regulated. Some of the business isn't regulated at all. All of the enterprise is connected via a single network, with centralized IT services, applications and management. I could stop right here and you'd understand why this is nearly impossible to make universally applicable.<br /><br /><br /><b>Bad Math</b><br /><br />What makes this even more difficult on the security organization is that their core team is exactly .04% of the overall company staff. Their full staff complement, including recently hired new members, are less than 5% of the total IT staff count. The security device-to-staffer ration is horrible, their budget is insignificant, and for all intents and purposes the security function is relatively new when compared against the rest of the enterprise. I'm not a statistician, or particularly good at math, but even I know those numbers don't work out well.<br /><br /><br /><b>Diversity Challenges</b><br /><br />Security in the enterprise is largely about building and operationalizing repeatable patterns of process and methodology to achieve scale. This works well in even very large, but very centralized and uniform enterprises. The problem is when you get into enterprises that are extremely diverse in business practices, technologies, and goals and compliance initiatives repeatable patterns fail to scale well since you end up building a new unique set for every different piece of the organization.<br /><br />In this situation the only chance enterprise security has is local representation from inside the business. Generally, though, you're not going to find many security experts in my experience from within these business that have "an IT guy/gal" or three. The situation just keeps getting worse.<br /><br />Think about this- from an operating platforms perspective you may have some OS/2, lots of UNIX variants, Mac OS, Windows from WinNT 4.0 through Windows 8.1, and then some device specific platforms like <a href="http://en.wikipedia.org/wiki/VxWorks" target="_blank">VxWorks</a>. If you're lucky all you have is Ethernet (Category 5/6) cabling and nothing else... Now add specialized programs, PLCs, Industrial Controls Systems (ICS), and it gets messy fast.<br /><br />At this point it almost doesn't matter how many security resources you have, the only way you'll scale is automation.<br /><br /><br /><b>The Catch-22</b><br /><br /><b>&nbsp;</b>Sometimes things become a chicken vs egg problem. In order to have better scale with fewer resources your security organization clearly needs more automation. The problem with more automation is it tends to create the need for more security resources to manage it (<i>you don't actually believe the marketing or sales hype that these things manage themselves, do you?</i>) to get effective scale. Either way - you don't have the people to do this.<br /><br /><br /><b>Bad, Meet Worse</b><br /><br />Where things go from bad to untenable is when the business alignment and co-operation isn't ideal. As in real life, not all business units will be friendly or even want to deal with "corporate". In that case you're not only facing the impossible challenge of addressing the business security issues, but now you're fighting against politics as well. Sometimes you just can not win.<br /><b> </b><br />If you factor in that generally security isn't the most loved part of the IT organization because of its history of being "<i>the no people</i>" you quickly realize that the deck is heavily stacked against you. There are certainly ample opportunities to trip on your own untied shoelaces and fall flat on your face. The key to not doing this lies in a multi-step process which includes assessment, prioritization, buy-in, and effective operationalization. <br /><br /><br /><b>Steering the Titanic by Committee</b><br /><br />As the CISO or security leader of a highly decentralized enterprise you're not going to get many wins that come easily. You're probably not going to do a very good job at preventing and preempting that next breach. Heck you may not even be able to detect or respond in a timely fashion. But the key to not failing as hard is to not go at it alone. Even if you have a centralized security team of 100+ you're still going to fall prey to these same challenges. You need support from the various edge-cases in your enterprise structure. You need help from your corporate counterparts, and your outliers.<br /><br />Cooperatively working towards better security is hard. It may be an order of magnitude harder than anything else you can do from a central control model - but if that's the only operating model you have available to you then it's time to make lemonade. In the next few posts I'll try to apply some of the lessons learned and recommendations from a series of these types of engagements. Maybe some of them will help you make better lemonade. Or figure out when it's time to move to a new lemonade stand.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/5qDv_4apyDo" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/09/managing-security-in-highly.htmltag:blogger.com,1999:blog-7288550196015472186.post-69904550278269545632014-08-20T11:51:00.001-05:002014-08-20T11:51:42.513-05:00The Indelicate Balance Between "Keep it Working" and "Keep It Safe"Security professionals continue to fool themselves into believing we walk a delicate balance between keeping the business functional, and keeping it safe (secure). This is, in many people's belief including me, a lie. There is no delicate balance. The notion of being able to balance these on a teeter-totter looks like this:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-L-rl6kF1Yto/U_TOKdgIkfI/AAAAAAAAH0E/t8Qn_XcpchY/s1600/Business%2BLeverage.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-L-rl6kF1Yto/U_TOKdgIkfI/AAAAAAAAH0E/t8Qn_XcpchY/s1600/Business%2BLeverage.jpg" height="320" width="314" /></a></div><br />Guess which one the 'safe and secure' is? Exactly.<br /><br />An interesting conversation (warning: profanity, not so safe for office) happened earlier today. And as per the usual, someone very smart and seasoned in the enterprise side of defense <a href="https://twitter.com/AdvancedThreat/status/502124553393668096" target="_blank">made the point clear</a>.<br /><br />The bottom line is this:<br />&nbsp; You can't <b>ever</b> cross the line into 'breaking business stuff' because you likely never get the chance again.<br /><br />Each time the pendulum swings into the "secure" side of the spectrum it stays only for a tiny fraction of time, and we as security professionals have to work very hard to <i>make it stick</i>, or it swings back the other way... quickly.<br /><br />So the question then is, how do we "make it stick"?<br /><br />Simple! We demonstrate the <b>business value</b> of good security (aka keeping the enterprise safe). Of course, there are few things that are more <i>simple</i> than this, including tightrope walking the Grand Canyon, being an astronaut, and nuclear physics. Whoops, hyperbole ran away with me there for a moment, sorry. Back to reality.<br /><br />So the key is to make security sticky. You need to align security to something the business can get behind. Hence, business value is so important to measure. But if you're still stuck reporting useless metrics - like how many port scans your firewall blocked, or how many SQL Injection instances your Software Security program identified - you're miles away from demonstrating business value.<br /><br />This brings me back to KPIs, and the development of data points which strongly align to business/enterprise goals. All of this is predicated on someone in the security organization (or everyone?) being alert and aware to what the <b>business</b> is trying to accomplish at the board/strategic level. Does your organization have this type of awareness and knowledge? Are you leveraging it?<br /><br />I can tell you that if you're not, the picture above will continue to be your fate... from yesterday to today and on into the future.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/re5svMfnX2Y" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/08/the-indelicate-balance-between-keep-it.htmltag:blogger.com,1999:blog-7288550196015472186.post-14099630956031125472014-08-13T11:13:00.001-05:002014-08-13T11:13:59.314-05:00Getting in Our Own WayThe security community has this widely-understood reputation for self-destruction. This is not to say that other communities of professionals don't have this issue, but I don't know if the negative impact potential is as great. Clearly I'm not an expert in all fields, so I'll just call this a hunch based on unscientific gut feeling.<br /><br />What I do see, though, much like with the efforts of the "<a href="http://www.iamthecavalry.org/" target="_blank">I am the Cavalry</a>" movement which has sent an <a href="https://www.change.org/petitions/automotive-industry-we-request-that-you-unite-with-us-in-a-joint-commitment-to-safety-between-the-automotive-and-cyber-security-industries" target="_blank">open letter via Change.org to the auto industry</a>, is resentment and dissent without much backing. In an industry which still has more questions than answers - and it gets worse every day - when someone stands up with a possible effort towards pushing a solution you quickly become a lightning rod for nay-sayers. Why is that?<br /><br />One of my colleagues who is the veteran CISO has a potential answer - which for the record I'm uncomfortable with. He surmises that the collective "we"(as in security community) aren't actually interested in <b>solving problems</b>&nbsp;because the real solutions require "<i>soft skills like personality</i>" and business savvy in addition to technical accumen. It turns out that taking the time to understand the problem, and attempt to solve it (or at least move the ball forward) is very hard. With the plethora of security problems in nearly everything that has electricity flowing to it, it's near-trivial to find bugs. Some of these bugs are severe, some of them are the same 'ol, same 'ol SQL injection and buffer overflows which we identified over a decade ago but still haven't solved. So finding problems isn't rocket science - actually presenting real, workable solutions is the trick. This is just my humble opinion based on my time in the enterprise and consulting in.<br /><br />I once worked for a CISO who told his team that he didn't want to hear about more problems until we had a proposed solution. Furthermore, I'm all for constructive criticism to help contribute to the solution - but don't attack the person or the proposed solution just to do it. Don't be that person.<br /><br />I think it may have been <a href="https://twitter.com/thedarktangent" target="_blank">Jeff Moss</a> that I heard say it - "Put up or shut up"... so give me your solution idea, or stop whining things are broken.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/sj8bY2BwXLs" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/08/getting-in-our-own-way.htmltag:blogger.com,1999:blog-7288550196015472186.post-54783790327918061802014-08-08T15:00:00.000-05:002014-08-08T15:00:53.716-05:00Why Your Enterprise Most Likely Doesn't Have a Zero-Day ProblemIt should come as no surprise that at Black Hat 2014 this week there were an enormous amount of invaluable conversations, as always. We talked about attacks, exploits and exploitation techniques as well as defenses basic and exotic. A few of these ended up in the same place, logically, and have led me to conclude that the majority of enterprises out there don't have a zero-day problem. Let me explain...<br /><br />It should by now be clear if you're a security professional that the average enterprise struggles with even the most basic security hygiene. This of course makes life difficult when we start to pile on cross-silo dependancies - for example <i>configuration management </i>- for security effectiveness. While I certainly don't mean to imply that <b>every</b>&nbsp;enterprise can't do the basics, I have yet to meet a CISO who is comfortable with the fundamentals of asset, configuration and user management on an enterprise scale and in a timely fashion.<br /><br />That being said, I further submit that zero-day attacks and exploits are an advanced level of attack typically reserved for targeted organizations which have significant levels of security capability mandating these advanced levels of effort. Basically if you've got your fundamentals right, and you're doing good block and tackle security, your users are well educated to be skeptical of links and things sent to them the determined attacker will be forced to turn to exploiting <i>yet unknown and unpatched&nbsp;</i>weaknesses in your software to get through your defenses. The truth is, I have come to believe, that the vast majority of enterprises just don't have their act together enough to merit that level of effort from the attacker.<br /><br />From what I know, an attacker burning a zero-day exploit is a non-trivial matter. Zero-days, while still fairly plentiful, have a cost associated with them and an attacker will use one of these once he or she has exhausted the typical, and often <i>easy</i>, methods of breaching your security. There are simply too many options further down the chain. You have to look no further than a conversation with <a href="https://twitter.com/hackingdave" target="_blank">David Kennedy</a> of TrustedSec who makes it clear exploits aren't required to break in. All that's required, in still far too many instances, is sending someone in the organization a malicious link, or a malicious file and they'll open the door and show you their closely-guarded intellectual property ... and probably hold the door for you as you walk out with it. Yes, indeed it is that simple to exploit corporate security with brain-boggling results.<br /><br />So why burn a zero-day? Attackers typically won't unless they've encountered roadblocks in other avenues. Since PowerShell is installed on every new Windows PC, it's the perfect tool to use to execute an attack, legitimately, on a target host. All the user has to do is let you in...and we all know that most users will still click on the lure of a dancing bear or the promise of nude photos of their favorite celebrity.<br /><br />So while your enterprise security organization may actually encounter some malware with zero-day exploits in them, they likely <b>aren't targeted </b>at your organization. The problem your average enterprise has is poor fundamentals - leaving you open to all manner of exploit and penetration without the use of any more advanced techniques than "asking the user for permission". So why would an attacker burn a precious zero-day against you? They likely wouldn't. Unless, you know, you're a target.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/zFJl3IjLea8" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com1http://blog.wh1t3rabbit.net/2014/08/why-your-enterprise-most-likely-doesnt.htmltag:blogger.com,1999:blog-7288550196015472186.post-86632237569342206292014-08-01T00:23:00.000-05:002014-08-01T00:24:23.013-05:00Security on a Weak IT Foundation<b>The interesting question of maturity</b><br /><b><br /></b>Earlier this week, <a href="https://twitter.com/x509v3" target="_blank">Bill Burns</a> asked me this question...<br /><blockquote class="tr_bq">"<i>can a security team have a higher level of maturity than the IT team that handles its operational tasks?</i>"</blockquote><div>It's an interesting question, and one that certainly requires some level of thought. My top-of-my-head response was - well ... no. This is clearly a "lowest common denominator" problem.<br /><br />The more I thought about it, the more this seemed like an obvious answer - a CMMI level 2 IT organization was never going to support a CMMI level 3-5 security organization. That should seem rather obvious. But the more I thought about this, the more I think that a CMMI level 2 IT organization can't support anything but an n-1 security organization. Let me explain my thinking here-<br /><br /><br /><b>Weak foundations, weak security</b><br /><b><br /></b>It should be rather obvious that a weak foundation cannot support a tall, strong structure. You simply don't have the stuff it takes to hold it all up, from a building perspective.<br /><br />In the IT world, if you have weak operational IT practices, you'll never get anything better than weak security practices. For example, let's look at how IT views and assesses assets on the corporate network. If IT can't tell you every asset on the corporate network <i>right now</i>&nbsp;in an on-demand manner, with troves of <i>accurate meta-data</i>&nbsp;then you can't possibly expect to build a strong security operations program on top of that. Security needs foundational things such as the ability to <b>know</b>&nbsp;what's on the network and loads of meta-data about each asset in order to make decisions on the risks these assets pose.<br /><br />Decomposing that even further to the most simple blocks - if IT doesn't know what's most critical to the business in terms of supporting function, security has absolutely zero chance of successfully crafting a defensive response strategy or operational plan. If an asset is suspected of being malicious or compromised (an IP address, for example) meta-data is needed to decide whether the alert could potentially be a false-positive, or if it even warrants a response (maybe it's just some lab machine which can simply be turned off). As a kid G.I. Joe taught us that knowing was half the battle - and not knowing means you're lost.<br /><br /><br /><b>Weak foundations, weaker security</b><br /><b><br /></b>In an effort to try to understand this more, my line of thinking leads me to believe that organizations with a particular CMMI score when it comes to general IT, can only support an n-1 CMMI score for security maturity.<br /><br />The reason I believe this is that security operations, by their very nature, cross many IT silos and require well-thought-out and precisely executed workflows and communication to function well. When you cross team boundaries, silos and responsibilities these inherently break down even a little - thus diminishing what you can build on top of them. Like the great pyramids - the higher you build the more you have to stack inward. Security - at least in my narrow view - is sitting right at the top of the IT ladder, thus making it fairly difficult to do well if the base of the IT operations is shaky.<br /><br /><br /><b>TL;DR</b><br /><b><br /></b>The long and short of it is this - if your enterprise has poor IT hygiene, and ranks low on the CMMI scale - focus security effort and resources on helping IT level up before you start to drop in expensive and complicated security kit. In essence, flashy boxes or solutions won't do you much good when you try to operationalize them on top of poorly functioning IT infrastructure, processes and methodologies.</div><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/SFj93SS8UHk" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/08/security-on-weak-it-foundation.htmltag:blogger.com,1999:blog-7288550196015472186.post-20424777632539991212014-07-26T14:31:00.001-05:002014-07-26T14:31:36.066-05:00Ad-Hoc Security's Surprisingly Negative Residual EffectSecurity is fraught with the ad-hoc approach. Some would argue that the very nature of what we do in the Information Security industry necessitates a level of ad-hoc-ness and that to try and get away from it entirely is foolish.<br /><br />CISOs are challenged with this very thing, every hour of every day. Threats pop up that they aren't prepared for, and present an imminent danger to the business, so they must react. These reactions are necessary to keep the business operational, no one will argue that, but it is when they have a residual effect on the enterprise that we run into problems.<br /><br />It's the old snowflake rolling down the mountain analogy... sort of.<br /><br /><b><br /></b><b>How it starts</b><br /><br />Since no security program I'm aware of has managed to account for all the threats it will encounter, let's take any one of them as an example. The threat may be some semi-custom malware which targets a particular piece of software in their industry vertical, or it may simply be something as common as a banking trojan. The CISO realizes that they simply don't have the supporting infrastructure to mitigate or help in remediation of the threat - so off to the ad-hoc bin we go.<br /><br />There are, in general, three possible courses of action which follow.<br /><br />First the ever-popular "we'll write some code" option. Many CISOs have access to some amazing security talent, and thus the ability to whip-up some custom-coded solution which takes care of the issue. Quite common. I'm not even saying this is a bad option! If you've got the talent, why not utilize it to its full potential.<br /><br />Second, the almost-as-popular "hire an army of consultants" option. External consultants descend on your enterprise and identify, contain, and work to mitigate the current threat. Your hope is that they document their work, and maybe leave behind some clues as to what was done, why, and how you can repeat this procedure int he future.<br /><br />Now for the most popular option, unfortunately, if the issue is big enough. This is the "let's buy a box" option. CISOs who feel overwhelmed look to their partners and often times the analysts to provide them with options. Not surprisingly, much of the time the 'solution' comes in a nice 2U rack-mountable appliance, with a yearly maintenance contract.<br /><br />With the threat, at least temporarily, addressed, it's on to the next big issue. Playing whack-a-mole is the modus operandi for all too many in security leadership... and it's not a commentary on their effectiveness or abilities, it's just simply the way it is.<br /><br />Once you've moved on from the previous problem what we have left is what is commonly referred to as a "one-off".<br /><br /><b><br /></b><b>"One-offs"</b><br /><br />Entirely too many networks are simply littered with "one-offs". <i>Solutions</i>&nbsp;which once served some point purpose which have either been forgotten, fallen out of maintenance or support, or simply no longer serve the greater mission of the enterprise security organization. So many of these "one-offs" don't integrate well, aren't interoperable, or don't scale ... or worse they're simply not manageable at the level that your organization needs.<br /><br />The problem with ad-hoc security measures is that we tend to create too many <i>one-offs</i>&nbsp;like this. Databases getting ripped off through the web apps? Drop in a WAF (Web Application Firewall). PCI requires you to log? Drop in a low-cost SIEM solution. Having difficulty managing the JAVA runtime in your environment ... err ...let's leave that one alone for now. You get the idea.<br /><br />One of the biggest transgressors in this space is the Identity and Access Management tools in an enterprise. Since the problem is so challenging, enterprises tend to use multiple tools to solve niche, and timely, issues. What's left over is a patchwork of several different IAM tools, identity stores, and rights-management consoles.<br /><br /><br /><b>The real problem with ad-hoc</b><br /><b><br /></b>The real problem with ad-hoc isn't there are way too many devices, servers, systems, and tools to keep updated and functional. Yes this is definitely a problem, but not <b>the</b>&nbsp;problem, in my opinion. The biggest problem is one of resources. Resources - we're talking about people here. Human beings need to sleep, eat lunch, hang out at the water cooler and take bio breaks. Humans who spend their time trying to make a few tools play nice are really wasting a lot of time...<br /><br />The challenge of ad-hoc security is that you end up leaving behind a wake of poorly operationalized hardware, software and processes. This turns into a black hole for your people's time, and I don't have to tell you that this creates opportunities for attackers.<br /><br /><br /><b>The realization</b><br /><b><br /></b>The unfortunate end-result of ad-hoc security, then, is decreased security. You're not really reducing risk over the long-haul but rather increasing it, due to the increased complexity, resource drain, and low levels of inter-operability. It makes perfect sense then that CISOs who don't take a pre-planned approach feel like they're forever on a hamster-wheel and are never getting anywhere in spite of superhuman efforts.<br /><br /><br /><b>The better approach</b><br /><br />Many of you CISOs and security leaders have already discovered and are implementing <b>program-based security measures</b>. You start by defining a business-aligned security <b>strategy</b>, which pre-plans the 'big picture' approach you will take. You set out the high-level guidance, and set timelines and try to manage projects with the understanding that things come up - but you can be ready for them.<br /><br />This doesn't mean you suddenly <i>stop</i>&nbsp;tactical security measures - you just try to avoid ad-hoc&nbsp;situations which have you dropping in processes and technologies which don't fit in with your long-term goals and strategy. This isn't entirely difficult, but takes <b>having </b>that strategy first!<br /><br /><br /><i>As always, I look forward to your replies, comments, suggestions and experiences.</i><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/ZgAfEcYXPTc" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com0http://blog.wh1t3rabbit.net/2014/07/ad-hoc-securitys-surprisingly-negative.htmltag:blogger.com,1999:blog-7288550196015472186.post-66908009702138613432014-07-21T07:30:00.000-05:002014-07-21T07:30:02.198-05:00Tackling 3rd Party Risk Assessments Through a 3rd PartyIn the enterprise, sometimes absurd is the order of the day.<br /><br />Earlier this week I ended up in a conversation with a colleague about 3rd party risk. We started talking about the kinds of challenges his organization faced, and as the leader of the 3rd party risk program what he's up against. As it turns out when the organization set out to tackle 3rd party risk a slight mis-calculation was made. Long story short, his group has over 100+ vendors to manage in terms of 3rd party risk. That's 100+ vendors that interact with the network, the data, the applications, the people, and the facilities his enterprise has.<br /><br />His team is staffed by a whopping 3 people, including him. To put this into perspective, and given that there are 250 business days a year, it means his team needs to complete 50 reviews per analyst. With 250 total days to work with, that means that they can spend a maximum of 5 days per 3rd party. Of course, we're not counting vacation days, sick days, or snow days. We're also not counting travel to/from sites to actually do investigative work, or the time it takes to do an analysis, debrief, or any of that.<br /><br />This started to unravel in my mind, pretty quickly. I pressed my colleague for an answer to how he could possibly achieve any measure of compliance and completeness, to which he answered: "We outsource the evidence gathering to a 3rd party".<br /><br />My head exploded.<br /><br />I'm not saying it doesn't make sense, or that there are very many real alternatives - but you have to know how crazy this sounds. They've outsourced the fact-finding portion of 3rd party risk assessments to a 3rd party. <i>BOOM</i><br /><i><br /></i>The truth is that there is a lot that he was doing behind the scenes here which made this a little easier to swallow. For example, a standard questionnaire was developed based on a framework they developed and approved internally which minimized the amount of 'thinking' a 3rd party assessor had to do. Each category of required controls had a gradient on which the 3rd party being assessed was graded, and there was really very little room for interpretation. Mostly.<br /><br />If you think about it, I'm confident that there are many, many enterprises out there with this minor challenge. Every enterprise does business with at least dozens, on average with hundreds of 3rd parties to varying degrees. From your outsourced payroll provider, to the company that shreds your documents once a week, to the company who sends the administrative assistant who sits at their desk and answers calls and surfs Facebook all day. Every enterprise has a vast number of 3rd parties which need to be assessed - and risks identified.<br /><br />While I'm definitely not crazy enough to think companies should only handle this with internal, <b>trusted employees</b>, I'm not completely convinced hiring out to a 3rd party is that fantastic of an idea either. There is so much to consider. For example, if that 3rd party assessor misses something, are they liable, or does that fall to your company? Ultimately in the court of public opinion - this is a trick question. The answer is always <b>you</b>.<br /><br />I suppose the long and short of it is that enterprises have little choice but to use a 3rd party to help them manage 3rd party risk. But then the only question is - do they assess that 3rd party which will be doing the 3rd party risk assessments for unnecessary risk? It's enough to make your head spin, I know it gave me a headache just thinking about it.<br /><br />What do you think the mature 3rd party risk assessment looks like? Do you have leading practices you could share? Contact me as I'd like to share them with our peers, and others who are struggling with this task right now.<img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/T3huIZovG54" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com1http://blog.wh1t3rabbit.net/2014/07/tackling-3rd-party-risk-assessments.htmltag:blogger.com,1999:blog-7288550196015472186.post-61293166312477172362014-07-10T17:00:00.002-05:002014-07-10T17:23:24.371-05:00Compliance and Security Seals from a Different Perspective<div class="MsoNormal"><br /></div><div class="MsoNormal">Compliance attestations. Quality seals like “Hacker Safe!” All of these things bother most security people I know because to us, these provide very little insight into the security of anything in a tangible way. Or do they? I saw <a href="https://twitter.com/scmunk/status/487027450032168961">this reply</a> to my <a href="http://blog.wh1t3rabbit.net/2014/07/harmonizing-compliance-and-security-for.html">blog post on compliance vs. security</a> which made an interesting point. A point, I dare say, I had not really put front-of-mind but probably should have. <o:p></o:p></div><div class="MsoNormal"><br /></div><div class="MsoNormal">Ron Parker was of course correct…and he touched on a much bigger point that this comment was a part of. Much of the time <b>compliance</b> and <b>‘security badges,</b> aka “security seals” on websites, aren’t done for the sake of making the website or product actually <i>more secure</i> … they’re done to assure the customer that the site or entity is worthy of their trust and business. This is contrary to conventional thinking in the security community.<o:p></o:p></div><div class="MsoNormal"><br /><a name='more'></a></div><div class="MsoNormal">Think about that for a second.<o:p></o:p></div><div class="MsoNormal"><br /></div><div class="MsoNormal">With that frame of reference, all the push to compliance and all the silly little “Hacker Safe!” security seals on websites make sense. Maybe they’re not secure, or maybe they are, but the point isn’t to demonstrate some level of absolute security. The point is to reassure you, the user, that you are doing business with someone who thought about your interests. Well…at least they pretended to. Whether it’s privacy, security, or both… the proprietors of this website or that store want to give you some way to feel safe doing business with them.<o:p></o:p></div><div class="MsoNormal"><br /></div><div class="MsoNormal">All this starts to bend the brain a bit, around the idea of <b>why</b> we really do security things. We need to earn someone’s business, through his or her trust. The risks we take on the road to earn their business …well that’s up to us to worry about. Who do you suppose is more qualified to make the assessment of ‘appropriate risk level’ – you or your customers? With some notable exception the answer won’t be your customers.<o:p></o:p></div><div class="MsoNormal"><br /></div><div class="MsoNormal">Realistically you don’t want your customers trying to decide for themselves what is or isn’t appropriate levels of security. Frankly, I wouldn’t be comfortable with this either. The reality behind this thinking is that the customer simply doesn’t know any better, typically, and would likely make the wrong decision given the chance. So it’s up to you to decide, and that’s fair. Of course, this makes the assumption that you as the proprietor have the customer’s interests in mind, and have some clue on how to do risk assessments and balance risk/reward. Lots to assume, I know. Also, you know what happens when you <b>ass</b>-u-me, right?<o:p></o:p></div><div class="MsoNormal"><br /></div><div class="MsoNormal">So let’s wind back to my point now. Compliance and security seals are a good thing. Before you pick up that rock to throw at me, think about this again. The problem isn’t that compliance and “security seals” exist but that I think we’re mis-understanding their utility. The answer isn’t to throw these tools away and create something else, because that something else will likely be just as complicated (or useless) and needlessly waste resources on solving a problem that already is somewhat on its way. Instead, let’s look to make compliance and security seals more useful <i>to the end customer</i> so you can focus on making that risk equation balance in your favor. I don’t quite know what that solution would look like, yet, but I’m going to investigate it with some smart people. I think ultimately there needs to be some way to convey the level security ‘effort’ by the proprietor, which becomes binding and the owner can be held liable for providing false information, or stretching the truth.<o:p></o:p></div><div class="MsoNormal"><br /></div><div class="MsoNormal">With this perspective I think we could take these various compliance regulations and align them with expectations that customers have, while tying them to some security and risk goals. This makes more sense than what I see being adopted today. The goal isn’t to be compliant, well, I mean, it is … but it’s not to be compliant and call that security. It’s to be compliant as a result of being more secure. Remembering that the compliance thing and security seal is for your customers is liberating and lets you focus on the bigger picture of balancing risk/reward for your business.<o:p></o:p></div><div class="MsoNormal"><br /></div><br /><div class="MsoNormal">What do you think? Am I totally off my rocker?<o:p></o:p></div><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/fV8f2kHkjl4" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com1http://blog.wh1t3rabbit.net/2014/07/compliance-and-security-seals-from.htmltag:blogger.com,1999:blog-7288550196015472186.post-37310228744467111582014-07-05T10:47:00.000-05:002014-07-05T11:25:46.260-05:00Critical Infrastructure as the Next "Cyber War"I'm tired of reading headlines that say stuff like "<a href="http://www.wptv.com/decodedc/podcast/its-the-next-war-protecting-the-nations-critical-infrastructure-from-cyber-attack" target="_blank">It's [cyber] the next war!</a>" because not only are they spreading FUD (fear, uncertainty, doubt) but if this was really the case we [as Americans] would already have "<i>lost"</i>.<br /><br />One of the things the FUD-sters like to ballyhoo about is the nation's critical infrastructure and how our power plants, water treatment facilities and chemical processing plants will be [or already are] targets for foreign nation states in a sneaky digital assault. News flash - this has been going on for some time, and while it's crystal clear to anyone paying attention that the nation's critical infrastructure is in a seriously neglected state when it comes to security - <i>this likely isn't America's biggest problem</i>.<br /><br /><a name='more'></a><br />Let me be clear, I believe the power grid, water supply, and other things including our beer manufacturers are in dire need of a security overhaul. We've been letting security get derelict for so long, the state of things is not good. The truly frightening part isn't knowing that things are horribly wide-open ... no, it's realizing that it would take a full stop of things we cannot live without like our power grid for several days (weeks maybe?) to fix some of these issues.<br /><br />In a podcast conversation with <a href="http://podcast.wh1t3rabbit.net/dt-r-episode-23-guest-patrick-c-miller-energy-sector-smart-grid-and-resiliency" target="_blank">Patrick Miller of NESCO and EnergySec</a> way back in September 2012 we talked about the critical state of things. He enlightened me as to why the energy providers aren't just jumping up and "fixing it" like people are demanding. For example, the issues the power grid has aren't fixed by applying the equivalent of a Windows patch. Many of these issues require deployment of new hardware into the electricity transmission system - which means shutting down power to huge swaths of the grid for extended periods of time. We're not just fixing a buffer overflow here, as in many cases the 'hack' is as simple as plugging in an old serial cable into a port and getting unauthenticated access to the piece of equipment. This is the really scary, systemic and architectural type of security failure that takes a generational change to remedy - because the lifespan of some of this gear is now 3-5 years like in corporate America, but rather 10-25 years in some cases.<br /><br />While raising awareness is <i>almost</i>&nbsp;always good, more FUD like we are seeing in the mainstream media isn't helping anyone except those looking for clicks. Let's face it, we need a strategy, not knee-jerk reactions and sensationalism. On the other hand ... if "Kamikaze Panda" (<i>see what I did there?</i>) were to decide that China is going to attack America's infrastructure and try and cripple us ... I'm willing to bet we could just do the same right back. Zero-sum game, in my opinion.<br /><br />What is needed is a holistic review and re-engineering... not patches. The challenge of course is that first we need to phase out this equipment without disrupting businesses and life for citizens. Maybe the "bad guys" will do this for us, or more than likely we'll experience a failure not related to <i>OMG HACKING</i>&nbsp;and that will&nbsp;bring about security improvements - but more as a side-effect than as a goal. I'd like to say I'm optimistic...but the realist in me says we'll see more bemoaning and critical failures before someone antes up the time, money, and resources to revamp the nation's critical infrastructure.<br /><br />Related:<br /><br /><ul><li><a href="http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-568324/">http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-568324/</a></li><li><a href="http://www.westernjournalism.com/shocking-us-power-plants-cyber-attack-russia/">http://www.westernjournalism.com/shocking-us-power-plants-cyber-attack-russia/</a></li></ul><img src="http://feeds.feedburner.com/~r/FollowingTheWh1t3Rabbit/~4/eZ666YLVSG4" height="1" width="1" alt=""/>Rafal Loshttp://www.blogger.com/profile/18106347834259269413noreply@blogger.com2http://blog.wh1t3rabbit.net/2014/07/critical-infrastructure-as-next-cyber.html